| Check ID | Name | Description |
|---|---|---|
type.detection | Server Type | Classifies the server as package manager, container, binary, script, or HTTP. All other checks depend on its output. |
universal.command_sanitization | Command Safety | Detects dangerous patterns in command and args: privilege escalation, shell injection, network downloads, dynamic code execution, and temp path usage. |
universal.credential_detection | Credentials | Finds plaintext credentials in args, URLs, and environment variables — AWS keys, GitHub/Stripe/Anthropic/OpenAI tokens, JWTs, URL credentials, and sensitive env var names. |
universal.registry.verification | Registry Listing | Checks whether the server is listed in the official MCP Registry. |
universal.github.trust | GitHub Trust | Evaluates trust signals — archived status, last activity, license, stars, contributor count. Cross-validates repo URLs across sources. |
universal.tool_description_injection | Tool Description Injection | Analyzes tool descriptions and input schemas for prompt injection patterns: prompt overrides, data exfiltration, cross-tool manipulation, obfuscation. Platform only. |
universal.description_change | Description Change Detection | Trust-on-first-use (TOFU) system that baselines tool description hashes and flags changes on subsequent scans to detect rug-pull attacks. Platform only. |
script.location | Script Location | Flags scripts running from unsafe locations like /tmp or home directories. |
script.permissions | Script Permissions | Detects world-writable scripts. |
binary.location | Binary Location | Evaluates binary path safety — system paths, /opt, home dirs, temp dirs, and unknown locations. |
binary.permissions | Binary Permissions | Detects world-writable or group-writable binaries. |
container.isolation | Container Isolation | Flags --privileged mode, dangerous capabilities (SYS_ADMIN), host namespace sharing, missing --cap-drop, and writable filesystems. |
container.volumes | Container Volumes | Flags dangerous volume mounts — root filesystem, /etc, Docker socket, SSH keys, cloud credentials, and kube config. |
container.image | Container Image | Checks whether images use digest pinning (@sha256:) vs mutable tags. Looks for Sigstore attestations. |
container.registry.existence | Container Registry | Verifies the container image exists in its OCI registry. Flags digest mismatches as possible tampering. |
container.registry.signature | Container Signature | Checks whether the image has a cosign signature with keyless/Fulcio certificates. |
package.vulnerability | Vulnerabilities | Queries OSV.dev for known CVEs and malware in npm/PyPI packages. Severity mapped from CVSS score. |
package.typosquatting | Typosquatting | Detects similarly-named packages that could indicate a typosquatting attack. |
package.distribution | Distribution | Evaluates package adoption — download counts and package age. |
package.repository | Source Repository | Checks whether the package links to a source repository. Cross-checks npm, PyPI, deps.dev, and MCP Registry. |
package.unscoped_variant | Unscoped Variant | For scoped npm packages (@scope/pkg): checks if the unscoped variant has known malware or vulnerabilities. |
package.sandbox.analysis | Sandbox Analysis | Executes server source code in an isolated cloud sandbox. Analyzes dependencies, external domains, secrets, and overall risk profile. Platform only. |
package.sandbox.secrets | Sandbox Secrets | Surfaces credentials found in source code during sandbox analysis. Platform only. |
package.sandbox.dependencies | Sandbox Dependencies | Reports the dependency count discovered during sandbox analysis. Platform only. |
package.sandbox.external_communication | External Communication | Detects external domains the server communicates with. Compares against an allowlist of expected registries. Platform only. |
capability.server_analysis | Server Capability Analysis | Sends all server capabilities (tools, prompts, resources) for holistic risk assessment. Produces per-tool assessments and seven risk category findings. Platform only. |
capability.destructive_tools | Destructive Tools | Tools that can delete, destroy, or corrupt data. Platform only. |
capability.open_world_access | Open World Access | Tools with unrestricted external access. Platform only. |
capability.sensitive_data | Sensitive Data Access | Tools accessing credentials, PII, or financial data. Platform only. |
capability.code_execution | Code Execution | Tools executing arbitrary code or shell commands. Platform only. |
capability.write_operations | Write Operations | Non-idempotent state changes. Platform only. |
capability.broad_scope | Broad Scope | Over-privileged tools with excessively wide permissions. Platform only. |
capability.toxic_combinations | Toxic Combinations | Dangerous combinations of capabilities (e.g., read secrets + external network access). Platform only. |
gateway.assignment | Gateway Assignment | Verifies whether HTTP/SSE servers are routed through a Golf Gateway. Platform only. |
runtime.environment | Runtime Environment | Surfaces runtime probe metadata — credential requirements, transport type, protocol version, and server info. Platform only. |
http.oauth | OAuth | For public HTTP/SSE servers: discovers OAuth/OIDC configuration. Flags missing authentication and HTTP-only endpoints. |
Reference
Security Checks
Complete reference for all 36 security checks run by Golf Inventory
Golf Inventory runs 36 security checks against each MCP server. This is a superset of the 20 checks in the OSS Scanner, with 16 additional platform-specific checks.
The first 20 checks are identical to the OSS Scanner. See Scanner Security Checks for detailed checklist IDs and severity breakdowns.