Open-source · MIT · runs 100% offline

Is that MCP server safe to connect to your data?

MCP Trust Checker is the local-first, deterministic MCP security scanner — it grades a Model Context Protocol server before you give it your files, tokens and conversations.

$npx mcptrustchecker
DeterministicNo accountNo API keySARIF + CINode ≥ 20
The one question millions of MCP users can't answer

“Is this MCP server safe to give access to my files, my tokens, and my conversations?”

An MCP server hands an AI assistant a set of tools. Those tool descriptions are read by the model, not by you — a perfect place to hide instructions. A single server that can read a file and make an HTTP request is already a data-exfiltration weapon. And a server can look harmless on day one, then silently redefine its tools after you approve it. MCP Trust Checker turns all of that into a transparent letter grade you can act on.

The algorithm · Capability-Flow Trust Model

How the MCP security scan works: nine deterministic stages.

The Capability-Flow Trust Model is an original methodology designed from scratch for MCP — not a wrapper around any existing scanner. It scores a server the way an attacker reasons about it: a normalized surface reduced to the roles each tool can actually play, wired into a cross-tool toxic-flow graph. When the source is available, it also reads the implementation — grading what the code does, not just what the tools claim. No LLM in the loop. No telemetry. Same input ⇒ byte-identical score.

STAGE 0

Safe acquisition

Allow-listed bare-name command, scrubbed env, timeouts, SSRF guard. Live stdio / HTTP / package — sandboxed.

STAGE 1

Unicode integrity

Decodes Tags-block & variation-selector payloads; BiDi, zero-width, homoglyph, ANSI-escape.

STAGE 2

Injection heuristics

Tool-poisoning, line-jumping, shadowing, secrecy, exfil-shaped params, embedded secrets.

STAGE 3

Capability extraction

Tags every tool by behavior — untrusted-input, sensitive-source, sink, exec, write — never from annotations.

STAGE 4 FLAGSHIP

Toxic-flow graph ★

The lethal trifecta across tools and the client's built-ins — the shape behind real MCP exfiltration exploits.

STAGE 5

Supply-chain

Typosquat / combosquat / homoglyph, install-scripts, provenance, unpinned auto-update, dep squats.

STAGE 6

Transport posture

stdio-RCE, plaintext HTTP, 0.0.0.0 bind, DNS-rebinding, known-CVE version matcher.

STAGE 7

Rug-pull integrity

SHA-256 pin of the full schema → a confirmed finding + per-tool diff on any post-approval drift.

STAGE 8

Deterministic scoring

Fixed penalty vectors, diminishing returns, per-category caps, weakest-link hard gates → 0–100.

The flagship: cross-tool toxic-flow analysis ★

The most dangerous MCP failures aren't one bad tool — they're an innocent combination. Give an agent untrusted content, sensitive data, and a way to communicate externally, and you have an exfiltration primitive.

MCP Trust Checker derives each tool's roles from behavior and checks whether all three are co-reachable across every tool, every server, and optionally the client's own built-ins. One tool holding all three → critical, confirmed; the roles spread across tools → critical, strong — never overclaiming.

UNTRUSTEDINPUT SENSITIVESOURCE EXTERNALSINK ▲ LETHAL TRIFECTA exfiltration primitive proven statically
Two axes · Trust vs. Capability

The MCP Trust Score separates “powerful” from “malicious.”

A web scraper legitimately needs to fetch untrusted pages and act on them — that's a large blast radius, not evidence it's a bad actor. So MCP Trust Checker never collapses every capable server into “F”. It reports two independent things.

Axis 1 — the grade

Trust · A–F

Driven only by threat signals: concealed prompt-injection, embedded secrets, Unicode smuggling, typosquatting, known CVEs, rug-pull drift, annotation lies, a tool built as an exfil primitive.

“Any sign this server is malicious or negligent?”

Axis 2 — the blast radius

Capability · Minimal → Critical

Driven by what the server can do: code execution, filesystem writes, network egress, the cross-tool toxic-flow surface. A fact to size access against — not a mark against the server.

“How much damage if the model driving it is manipulated?”

ServerTrustCapabilityRead
firecrawlB 81CRITICALtrustworthy, huge blast radius — grant carefully
poisoned-serverFHIGHactual malice signals — avoid
memoryA 100MINIMALsafe and low-power
MCP attack coverage

Every known MCP attack technique — tool poisoning to rug pulls — in one offline scan.

It covers the full catalog of known MCP attack techniques in one local pass — tool-poisoning, Unicode smuggling, supply-chain risk and cross-tool toxic flows — plus the flow graph, the decoder, the integrity pin, a known-CVE vulnerability matcher and an auditable score on top. And when the package source is available (scan ./path), it reads the implementation itself: eval/shell sinks, hardcoded egress, obfuscated payloads, credential reads, embedded secrets.

175+
real MCP servers battle-tested
0
scanner crashes, ever
37
attack techniques covered
200+
automated tests passing
74
deterministic rules
Capability
MCP Trust Checker
Runs fully offline — no account / token / key
Deterministic — same input ⇒ same score
Cross-tool toxic-flow graph
Decodes hidden Unicode payloads
Reads the implementation source — sinks in the code, not just metadata
Measured accuracy on a labeled benchmark, gated in CI
Auditable score with a published vector
SARIF + GitHub Action + CI gates
Embeddable library (marketplace reuse) · MIT
Auditable by construction

How the Trust Score is calculated: every point is a reproducible penalty vector.

The MCP Trust Score uses fixed severity weights, a confidence multiplier, diminishing returns, per-category caps and weakest-link gates. No LLM, no randomness. Same methodology version + same target ⇒ byte-identical score.

TrustScore = clamp( 100 − Σ min(cap, Σ penalty), 0, 100 ) penalty = severity × confidence × diminishing (threat findings only — capability rules never lower the grade)
confirmed critical → F any critical → ≤ D confirmed high → ≤ C · two → ≤ D bands: A 90 · B 80 · C 70 · D 60
Severity
Weight
Confidence
×
Critical
45
Confirmed
1.0
High
22
Strong
0.7
Medium
9
Heuristic
0.4
Low
3
Speculative
0.2
For marketplaces & platforms

Embed the same MCP audit engine users can read on GitHub.

MCP Trust Checker is a library first. A marketplace can vet every listed server with the identical, versioned open-source engine — so “we run unique security checks on every MCP server” becomes a verifiable claim, not marketing.

app.ts — same scanSurface() as the CLI
// one import — no service, no network, deterministic
import { scanSurface } from 'mcptrustchecker';

const report = await scanSurface(surface);
if (['D', 'F'].includes(report.score.grade)
    || report.capabilityProfile.level === 'critical') {
  flagForReview(report.score.vector);  // full itemized penalty vector
}
FAQ · MCP server security

MCP server security, answered.

What is an MCP security scanner?

An MCP security scanner inspects Model Context Protocol servers — the tools they expose to an AI assistant — for prompt injection, tool poisoning, hidden Unicode instructions, supply-chain risk and data-exfiltration flows, before you connect the server to your data. MCP Trust Checker does this fully offline and returns an auditable A–F Trust Score.

How do I scan an MCP server for security issues?

Run npx mcptrustchecker to scan every MCP server you already have configured, or npx mcptrustchecker scan ./path to run a security check on a specific server or package. You get a 0–100 Trust Score, an A–F grade, per-finding evidence, and JSON or SARIF output for CI.

How do I know if an MCP server is safe to install?

Check four things before connecting: hidden instructions in tool descriptions (tool poisoning), whether its tools combine untrusted input, sensitive data and network egress (the lethal trifecta), supply-chain red flags in the package, and whether the tool surface can change after approval (a rug pull). MCP Trust Checker automates all four and returns one trust grade.

What is tool poisoning in MCP?

Tool poisoning hides malicious instructions inside an MCP tool’s description or parameters. The model reads those descriptions as context — the human never sees them — so a poisoned tool can quietly tell the assistant to read your SSH keys or exfiltrate files. MCP Trust Checker detects poisoned descriptions, decodes hidden Unicode payloads, and flags exfil-shaped parameters.

What is a toxic flow or lethal trifecta in MCP?

A lethal trifecta is when an agent session simultaneously has exposure to untrusted content, access to sensitive data, and a way to communicate externally. That combination is a data-exfiltration primitive. MCP Trust Checker’s cross-tool toxic-flow graph proves this primitive exists statically — across multiple tools, not just one.

What is an MCP rug pull?

A rug pull is when an MCP server behaves honestly at approval time, then silently redefines its tools later. MCP Trust Checker pins the full tool schema with SHA-256 and reports any post-approval drift as a confirmed finding with a per-tool diff.

Is MCP Trust Checker free and open source?

Yes. MCP Trust Checker is MIT-licensed, free and open source. Run it with npx mcptrustchecker. No account, no API key, and it never sends your data anywhere — the entire scan runs locally.

Can I run MCP Trust Checker in CI or as a GitHub Action?

Yes. The scanner emits SARIF for code-scanning dashboards and ships a GitHub Action, so you can gate pull requests on the trust grade — for example, fail the build on any grade below B or on a critical toxic-flow finding.

What makes MCP Trust Checker’s algorithm unique?

MCP Trust Checker is built on the Capability-Flow Trust Model — an original methodology designed from scratch for MCP, not a wrapper around any existing scanner. It derives every tool’s behavioral roles, wires them into a cross-tool toxic-flow graph to prove exfiltration primitives statically, reads the server’s implementation source when available, and produces a deterministic, auditable 0–100 Trust Score — fully offline, with no LLM in the loop.

Scan every MCP server
you already have in one command.

Offline. Deterministic. Point it at your Claude Desktop, Claude Code or Cursor config and it audits every server inside — no account, no API key, no data leaves your machine.

$npx mcptrustchecker