🔒 Open · reproducible · a badge for every score

Stars don't predict security.
We publish the evidence that does.

An open, reproducible security scorecard for the most-installed Model Context Protocol servers, graded A–F by Sentinel's engine at a pinned commit. Every finding links to a line of code, the rules are public, and each grade ships an embeddable badge you can re-run and verify yourself.

MCP security: grade AMCP securityAEmbed your grade. A badge that links back to the evidence — the part a scorecard is actually for. Here is stripe/agent-toolkit:[![MCP security: A](https://sentinel-engine-ggaj.onrender.com/registry/badge/stripe__agent-toolkit.svg)](https://sentinel-engine-ggaj.onrender.com/registry/stripe__agent-toolkit.html)
28servers graded at a pinned commit
26/28grade A — the popular leaders are well-built
7withheld — coverage gaps we name, not guess
Caught in the wild

The scanner earns its grades

The most-installed MCP servers are genuinely well-built — 26 of the 28 graded here earn an A, and an honest scorecard reports what it measures. The grades are earned, not given: below, a real SSRF finding the engine produced in one of them, alongside a disclosed CVE from exactly the class these rules exist to catch.

● REAL FINDING

microsoft/markitdown

Grade B · SSRF surface · matches a public disclosure (BlueRock, Jan 2026)

The convert_to_markdown(uri) tool passes a user-controlled URI straight to a local fetch with no allowlist. MCP-SSRF-USER-CONTROLLED-URL High (CWE-918) → caps the grade at B.

See the graded report →

● PUBLIC CVE

mcp-remote

CVE-2025-6514 · CVSS 9.6 Critical · v0.0.5–0.1.15

OS command injection (CWE-78): a crafted authorization_endpoint URL reaches a system shell — a disclosed example of the class MCP-SHELL-EXEC-SURFACE targets (CWE-78).

Source: NVD CVE-2025-6514. A client, not a server in this list — cited as class evidence.

The scorecard · the servers you actually use

Graded — ranked A→F

28 servers graded at a pinned commit, 24 findings cited to a line of code. Ranked by composite score. Click any row for the full report and its embeddable badge.

#ServerInstall proxy / wkListedGrade
1GLips/Figma-Context-MCP75,862mcp.so · pulsemcpA100
2apify/actors-mcp-server14,964mcp.so · pulsemcpA100
3cloudflare/mcp-server-cloudflare1,808mcp.so · pulsemcpA100
4e2b-dev/mcp-server4,079mcp.so · pulsemcpA100
5grafana/mcp-grafana3,220mcp.so · pulsemcpA100
6mendableai/firecrawl-mcp-server93,369mcp.so · pulsemcpA100
7modelcontextprotocol/servers-archived2,007official-servers-repoA100
8ppl-ai/modelcontextprotocol1,408mcp.so · pulsemcpA100
9pydantic/pydantic-ai18,280mcp.soA100
10qdrant/mcp-server-qdrant669,382mcp.so · pulsemcpA100
11stripe/agent-toolkit25,231mcp.so · pulsemcpA100
12supabase-community/supabase-mcp64,916mcp.so · pulsemcpA100
13tavily-ai/tavily-mcp28,489mcp.so · pulsemcpA100
14Flux159/mcp-server-kubernetes10,069mcp.so · pulsemcpA99
15mongodb-js/mongodb-mcp-server63,752mcp.so · pulsemcpA99
16redis/mcp-redis2,696mcp.so · pulsemcpA99
1721st-dev/magic-mcp13,350mcp.so · pulsemcpA98
18block/goose50,846mcp.soA98
19browserbase/mcp-server-browserbase1,754mcp.so · pulsemcpA98
20exa-labs/exa-mcp-server18,395mcp.so · pulsemcpA98
21getsentry/sentry-mcp85,444mcp.so · pulsemcpA98
22modelcontextprotocol/servers63,459official-servers-repo · mcp.soA98
23upstash/context7523,993mcp.so · pulsemcpA98
24sooperset/mcp-atlassian234,582mcp.so · pulsemcpA96
25github/github-mcp-server31,296mcp.so · pulsemcpA95
26chroma-core/chroma-mcp39,707mcp.so · pulsemcpA94
27microsoft/markitdown32,981mcp.so · pypiB94 · capped
28awslabs/mcp1,661mcp.so · pulsemcpB84 · capped
Coverage, honestly

Withheld — coverage pending

We never publish a grade we can't back. These 7 servers are withheld with a specific reason — a language or packaging our analysis does not yet cover, or a high-privilege local agent still in grading calibration. Naming the gap is the point.

ServerInstall proxy / wkStatusWhy withheld
executeautomation/mcp-playwright17,255coverage pendinghigh-privilege local agent (drives a local browser to arbitrary URLs / runs page JS) - grading calibration in progress
googleapis/genai-toolbox15,907coverage pendingtools are defined in user-supplied YAML config, not in source
makenotion/notion-mcp-server125,682coverage pendingtools are generated at runtime from an OpenAPI spec, not defined in source
microsoft/mcp3,429coverage pendingno analyzable MCP tool source at the pinned commit (docs/CLI repo, no source in a supported language)
microsoft/playwright-mcp5,999,263coverage pendingtool implementation ships in the playwright-core dependency (repo index.js is a shim) - not present at the pinned commit
oraios/serena26,227coverage pendinghigh-privilege local coding agent (shell + filesystem tools) - grading calibration in progress
wonderwhy-er/DesktopCommanderMCP43,397coverage pendinghigh-privilege local agent (terminal command execution) - grading calibration in progress
Run it yourself

Reproduce any grade on this page

The scanner is open source and fully deterministic: the same repo at the same commit produces the same grade, byte for byte. Prerequisites are the Rust toolchain and Git — the scan runs on your machine, and your code never leaves it.

# install - builds the open scanner from source (Rust toolchain + Git) cargo install --git https://github.com/anwen-labs/sentinel-mcp sentinel-mcp-cli # score any public MCP server repo, locally - code never leaves your machine git clone https://github.com/microsoft/markitdown && cd markitdown # pin the exact commit this scorecard scored... git checkout e144e0a2be95 # ...and reproduce the published grade (B, composite 94, __main__.py:21) sentinel-mcp . --server microsoft/markitdown

Swap in any owner/name and the pinned commit from its score page (or results/scores.json) to reproduce that grade instead.

Stars don't predict security — but they do help people find the scorecard. If this was useful, star anwen-labs/sentinel-mcp.

Methodology · open & reproducible

What we measure — and what we don't

Every score is open and reproducible: the rules are public, each scan pins a commit, and every finding carries a file:line evidence pointer. Re-run it, get the same grade.

In scope

Repo code at a pinned commit: tool-description injection, secret handling & exfiltration, egress/SSRF, permission scope vs. declared purpose, supply-chain provenance.

Coverage gate

No analyzable tool source at the pin → the grade is withheld, never guessed. Nine servers sit in that honest bucket today.

Out of scope

Unauthenticated exposure is a live-deployment property. We score code, not running endpoints.

Precision first

A finding requires a real tool-input path to a sink; a shell or fetch tool is weighed against its declared purpose — the top documented false-positive cause.

Run your own MCP server through the same engine

The registry is free research. Point the open scanner at your repo, or request a scan and we'll add it — same engine, same evidence-backed grade, your code never leaves your machine.

Request a scan →
Reproduce every number. The graded data set is published at results/registry.json; the rule catalog and scoring are in docs/METHODOLOGY.md. ruleset pack-mcp-core@0.1.0.