← MCP Scorecard / modelcontextprotocol/servers
APass

modelcontextprotocol/servers

composite 98 / 100 · pinned commit d31124c98240 · ruleset pack-mcp-core@0.1.0 · 63,459/wk
Tool-description injection w20100
Credential / secret handling w20100
Network egress / SSRF w20100
Permission scope vs declared w2590
Supply-chain provenance w15100

Findings

Each finding names the rule it triggered, what that rule means, its CWE reference, and the line of code it points at. An observed code path, published as a flow, never as intent.

Medium  MCP-CORS-WILDCARD

CORS allows any origin

src/everything/transports/sse.ts:12

Embed this grade

MCP security: grade AMCP securityA
Grade A — Pass
[![MCP security: A](https://sentinel-engine-ggaj.onrender.com/registry/badge/modelcontextprotocol__servers.svg)](https://sentinel-engine-ggaj.onrender.com/registry/modelcontextprotocol__servers.html)

🔁 Verify it yourself: clone modelcontextprotocol/servers at d31124c98240 and run the open scanner (anwen-labs/sentinel-mcp, ruleset pack-mcp-core@0.1.0). Same input → same grade, every time.