The vendor-neutral MCP quality standard

Score the quality, security
and context-cost of your MCP servers.

One unified audit → an explainable MCP Score /100, with causal attribution (“why this score”) and actionable fixes. No registry required — just paste a URL.

try:

37+ MCP servers already scored · OWASP MCP Top 10 · official spec 2025-11-25 · open-source CLI (MIT)

30–50%

of context eaten by schema bloat — the #1 pain of 2026, that nobody scores + fixes.

7 pillars

security · tool design · schemas · reliability · context-cost · compliance · coverage.

OWASP MCP

tool poisoning, rug-pull, lethal-trifecta, exfiltration — detected and explained.

Beyond the score

Auditing flags the risk. The gateway stops it reaching your agent.

A score is a snapshot — production needs more. Catch runtime tool-poisoning, watch for rug-pulls, and gate every MCP call in real time. Hosted, or self-hosted in your own VPC.

runtime

Behavioral evals

We actually invoke read-only tools with canary inputs and inspect the responses for tool-output prompt-injection, exfiltration and secret leakage — what static analysis can’t see.

always-on

Continuous monitoring

Tracked servers are re-checked and behaviorally re-evaluated on drift. Tool-pinning catches rug-pulls; you get drift & score-threshold alerts via webhook.

enforce

In-band gateway

Put CheckMCP between your agent and the MCP server. Passive observes & logs; active blocks policy violations and strips injected/exfiltrating tool responses before your agent ever sees them.

Browse by category

all collections ›

Independently-audited rankings of the best and safest MCP servers by use case — and head-to-head comparisons.

Open methodology

How the MCP Score is computed

Six weighted pillars (reliability shown but not yet credited), hard floors (secret-in-schema → cap D, failed handshake → cap F), and a traceable attribution for every penalty.

Security

/20

Tool design

/18

Schemas / desc

/16

Reliability

/14

Context-cost

/12

Compliance

/12

Coverage

/8

Calibrated on the real MCP ecosystem · official spec 2025-11-25 · annotations, OAuth 2.1/PKCE, cursor pagination, JSON-RPC errors.

Answers

MCP security & auditing — FAQ

Common questions about checking, scoring and protecting Model Context Protocol servers.

What is an MCP Score?+
The MCP Score is a single, explainable 0–100 grade for the quality, security and context-cost of a Model Context Protocol (MCP) server. CheckMCP computes it from six weighted pillars — security, tool design, schemas, context-cost, compliance and coverage — plus reliability, which it measures and displays but does not yet weight into the score (single-shot latency is low-confidence), and attributes every penalty as measure → mechanism → effect → Δscore, so the score is auditable rather than a black box.
How do I check if an MCP server is safe?+
Paste the server's endpoint URL into checkmcp.dev, or run the CLI. CheckMCP probes the live server, runs an OWASP MCP Top 10 security pass — tool poisoning, hardcoded secrets, command injection, the lethal trifecta — and behaviorally evaluates read-only tools with canary inputs to catch prompt-injection or data exfiltration in tool responses. A secret found in a schema caps the grade at D; a failed handshake caps it at F.
How do I audit an MCP server from the command line?+
Install nothing and run: uvx audit-mcp https://your-mcp.example.com/mcp — it prints an MCP Score /100 with the causal reasons behind it. The CLI is open-source (MIT) and stdlib-only, and it also runs in CI via the GitHub Action (uses: H129hj/checkmcp@v1) to fail a build on a score regression or a rug-pull.
What does CheckMCP check for?+
Live protocol compliance (Streamable HTTP and legacy HTTP+SSE, protocol-version gap, JSON-RPC error conformance, OAuth 2.1 discovery), the OWASP MCP Top 10 security risks, tool-design sprawl, schema and description completeness, the token cost paid on every tools/list call, and coverage of all three MCP primitives (tools, resources, prompts). It also grades the backing repository as a separate Repo-Quality Score /100.
How is the MCP Score calculated?+
Six weighted pillars are scored against the real MCP ecosystem (percentile-calibrated — for example median ~7 tools, p95 ~42) — reliability is measured and shown as a seventh pillar but not yet credited — with hard floors: a secret in a schema caps the grade at D and a failed handshake caps it at F. The methodology is open and every deduction is traceable to a measurable cause.
Is CheckMCP free?+
Yes — auditing and the MCP Score are free, including the open-source CLI and the public directory. Paid Pro and Team plans add continuous monitoring, behavioral evals on demand, and the in-band gateway that blocks tool-poisoning at runtime.
Can I continuously monitor an MCP server for rug-pulls and tool drift?+
Yes. CheckMCP pins a fingerprint of each tracked server's tools and schemas, re-checks and behaviorally re-evaluates them on drift, and alerts you by webhook when a tool silently changes (a rug-pull) or the score crosses a threshold you set.
What are tool poisoning and the lethal trifecta?+
Tool poisoning is a malicious or compromised MCP tool whose description or output manipulates the agent — hidden instructions, data-exfiltration prompts, and the like. The lethal trifecta is the dangerous combination of an agent having access to private data, exposure to untrusted content, and the ability to communicate externally — the precondition for exfiltration. CheckMCP detects both statically and at runtime, and the in-band gateway strips injected or exfiltrating tool responses before your agent ever sees them.
Browse all MCP security & quality concepts ›