> ## Documentation Index > Fetch the complete documentation index at: https://docs.golf.dev/llms.txt > Use this file to discover all available pages before exploring further. # Security Checks > Complete reference for all 36 security checks run by Golf Inventory Golf Inventory runs 36 security checks against each MCP server. This is a superset of the [20 checks](/scanner/security-checks) in the OSS Scanner, with 16 additional platform-specific checks. | Check ID | Name | Description | | ---------------------------------------- | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `type.detection` | Server Type | Classifies the server as package manager, container, binary, script, or HTTP. All other checks depend on its output. | | `universal.command_sanitization` | Command Safety | Detects dangerous patterns in command and args: privilege escalation, shell injection, network downloads, dynamic code execution, and temp path usage. | | `universal.credential_detection` | Credentials | Finds plaintext credentials in args, URLs, and environment variables — AWS keys, GitHub/Stripe/Anthropic/OpenAI tokens, JWTs, URL credentials, and sensitive env var names. | | `universal.registry.verification` | Registry Listing | Checks whether the server is listed in the official MCP Registry. | | `universal.github.trust` | GitHub Trust | Evaluates trust signals — archived status, last activity, license, stars, contributor count. Cross-validates repo URLs across sources. | | `universal.tool_description_injection` | Tool Description Injection | Analyzes tool descriptions and input schemas for prompt injection patterns: prompt overrides, data exfiltration, cross-tool manipulation, obfuscation. **Platform only.** | | `universal.description_change` | Description Change Detection | Trust-on-first-use (TOFU) system that baselines tool description hashes and flags changes on subsequent scans to detect rug-pull attacks. **Platform only.** | | `script.location` | Script Location | Flags scripts running from unsafe locations like `/tmp` or home directories. | | `script.permissions` | Script Permissions | Detects world-writable scripts. | | `binary.location` | Binary Location | Evaluates binary path safety — system paths, `/opt`, home dirs, temp dirs, and unknown locations. | | `binary.permissions` | Binary Permissions | Detects world-writable or group-writable binaries. | | `container.isolation` | Container Isolation | Flags `--privileged` mode, dangerous capabilities (`SYS_ADMIN`), host namespace sharing, missing `--cap-drop`, and writable filesystems. | | `container.volumes` | Container Volumes | Flags dangerous volume mounts — root filesystem, `/etc`, Docker socket, SSH keys, cloud credentials, and kube config. | | `container.image` | Container Image | Checks whether images use digest pinning (`@sha256:`) vs mutable tags. Looks for Sigstore attestations. | | `container.registry.existence` | Container Registry | Verifies the container image exists in its OCI registry. Flags digest mismatches as possible tampering. | | `container.registry.signature` | Container Signature | Checks whether the image has a cosign signature with keyless/Fulcio certificates. | | `package.vulnerability` | Vulnerabilities | Queries OSV.dev for known CVEs and malware in npm/PyPI packages. Severity mapped from CVSS score. | | `package.typosquatting` | Typosquatting | Detects similarly-named packages that could indicate a typosquatting attack. | | `package.distribution` | Distribution | Evaluates package adoption — download counts and package age. | | `package.repository` | Source Repository | Checks whether the package links to a source repository. Cross-checks npm, PyPI, deps.dev, and MCP Registry. | | `package.unscoped_variant` | Unscoped Variant | For scoped npm packages (`@scope/pkg`): checks if the unscoped variant has known malware or vulnerabilities. | | `package.sandbox.analysis` | Sandbox Analysis | Executes server source code in an isolated cloud sandbox. Analyzes dependencies, external domains, secrets, and overall risk profile. **Platform only.** | | `package.sandbox.secrets` | Sandbox Secrets | Surfaces credentials found in source code during sandbox analysis. **Platform only.** | | `package.sandbox.dependencies` | Sandbox Dependencies | Reports the dependency count discovered during sandbox analysis. **Platform only.** | | `package.sandbox.external_communication` | External Communication | Detects external domains the server communicates with. Compares against an allowlist of expected registries. **Platform only.** | | `capability.server_analysis` | Server Capability Analysis | Sends all server capabilities (tools, prompts, resources) for holistic risk assessment. Produces per-tool assessments and seven risk category findings. **Platform only.** | | `capability.destructive_tools` | Destructive Tools | Tools that can delete, destroy, or corrupt data. **Platform only.** | | `capability.open_world_access` | Open World Access | Tools with unrestricted external access. **Platform only.** | | `capability.sensitive_data` | Sensitive Data Access | Tools accessing credentials, PII, or financial data. **Platform only.** | | `capability.code_execution` | Code Execution | Tools executing arbitrary code or shell commands. **Platform only.** | | `capability.write_operations` | Write Operations | Non-idempotent state changes. **Platform only.** | | `capability.broad_scope` | Broad Scope | Over-privileged tools with excessively wide permissions. **Platform only.** | | `capability.toxic_combinations` | Toxic Combinations | Dangerous combinations of capabilities (e.g., read secrets + external network access). **Platform only.** | | `gateway.assignment` | Gateway Assignment | Verifies whether HTTP/SSE servers are routed through a Golf Gateway. **Platform only.** | | `runtime.environment` | Runtime Environment | Surfaces runtime probe metadata — credential requirements, transport type, protocol version, and server info. **Platform only.** | | `http.oauth` | OAuth | For public HTTP/SSE servers: discovers OAuth/OIDC configuration. Flags missing authentication and HTTP-only endpoints. | The first 20 checks are identical to the [OSS Scanner](/scanner/security-checks). See [Scanner Security Checks](/scanner/security-checks) for detailed checklist IDs and severity breakdowns.