{"slug": "how-to-find-safe-mcp-servers-for-your-ai-coding-assistant-and-why-most-lie", "title": "How to find safe MCP servers for your AI coding assistant (and why most directories lie)", "summary": "A developer built MarketNow, an MCP marketplace that audits every server for malware and security risks, after discovering that most MCP directories do not actually audit the servers they list. The platform uses eight audit layers, including scanning for executables, scripts, and known malware families, and provides a Sentinel security score for each server. The developer warns that a typosquatting repo recently slipped a Windows trojan into a competing directory via a fake download badge.", "body_md": "If you use Claude Desktop, Cursor, Cline, or Continue, you've probably installed MCP servers from a \"curated list\" or directory. Here's the uncomfortable truth: most of those directories don't actually audit the servers they list. They're curated lists, not security audits.\n\nI built an MCP marketplace that actually audits every server. Here's what I learned about MCP security — and how you can protect yourself.\n\nMost \"awesome-mcp-servers\" lists work like this:\n\nThis means:\n\n**This actually happened.** Two weeks ago, a typosquatting repo (`JuanquiFortuny/prospector-mcp-email-finder`\n\n) slipped a Windows trojan (`Trojan:Win64/Lazy.PGPK!MTB`\n\n) into a competing MCP directory via a fake \"Download Latest Release\" badge.\n\nAt [MarketNow](https://marketnow.site), every MCP server goes through 8 audit layers before entering the catalog:\n\nOpens the actual package zip (recursively — zips inside zips) and scans for:\n\n`.exe`\n\n, `.dll`\n\n, `.scr`\n\n)`.bat`\n\n, `.cmd`\n\n, `.vbs`\n\n, `.ps1`\n\n)17 YARA-equivalent rules for known malware families: Emotet, Cobalt Strike, Mimikatz, RedLine, Vidar, Raccoon, LummaC2, AsyncRAT, njRAT, Remcos, and more.\n\nWhen you browse [marketnow.site](https://marketnow.site), every skill has:\n\nGo to [marketnow.site](https://marketnow.site), search for what you need, check the Sentinel score, and copy the install command.\n\nAdd MarketNow as an MCP server in your assistant:\n\n```\n{\n  \"mcpServers\": {\n    \"marketnow\": {\n      \"command\": \"npx\",\n      \"args\": [\"-y\", \"marketnow-mcp\"]\n    }\n  }\n}\n```\n\nNow you can ask Claude/Cursor/Cline: \"Find me a filesystem MCP server with a high security score\" — and it'll search MarketNow, filter by Sentinel score, and return only audited servers.\n\n```\n# Search for skills\ncurl \"https://marketnow.site/api/search?q=filesystem\" | jq\n\n# Get a skill's security certificate\ncurl \"https://marketnow.site/api/audit-skill?skillId=mn-mcp-filesystem\" | jq\n```\n\nFor agent-to-agent trust, we also built **ATC (Agent Trust Card)** — SSL certificates for AI agents:\n\n```\n# Verify any agent's trust card\ncurl \"https://marketnow.site/api/atc?action=verify&card_id=ATC-2026-XXXXXXX\"\n```\n\nReturns: valid/invalid, Sentinel score, risk level, signature verification, revocation status.\n\n`marketnow.site/verify`\n\nbefore trusting a skill.MCP is becoming the standard for how AI assistants call external tools. But the trust infrastructure doesn't exist yet. Anyone can publish an MCP server, and most directories don't check anything.\n\nMarketNow is trying to fix this: every server audited, every certificate signed, every incident public. The marketplace is free. The security infrastructure is the product.\n\n**Try it:** [https://marketnow.site](https://marketnow.site)\n\n**Install:** `npx -y marketnow-mcp`\n\n**GitHub:** [https://github.com/edgarfloresguerra2011-a11y/marketnow](https://github.com/edgarfloresguerra2011-a11y/marketnow)\n\n— *Edison Flores, AliceLabs LLC*", "url": "https://wpnews.pro/news/how-to-find-safe-mcp-servers-for-your-ai-coding-assistant-and-why-most-lie", "canonical_source": "https://dev.to/edison_flores_6d2cd381b13/how-to-find-safe-mcp-servers-for-your-ai-coding-assistant-and-why-most-directories-lie-3967", "published_at": "2026-07-18 03:27:34+00:00", "updated_at": "2026-07-18 04:28:00.319383+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "developer-tools", "ai-agents", "ai-infrastructure"], "entities": ["MarketNow", "Edison Flores", "AliceLabs LLC", "Claude Desktop", "Cursor", "Cline", "Continue", "JuanquiFortuny"], "alternates": {"html": "https://wpnews.pro/news/how-to-find-safe-mcp-servers-for-your-ai-coding-assistant-and-why-most-lie", "markdown": "https://wpnews.pro/news/how-to-find-safe-mcp-servers-for-your-ai-coding-assistant-and-why-most-lie.md", "text": "https://wpnews.pro/news/how-to-find-safe-mcp-servers-for-your-ai-coding-assistant-and-why-most-lie.txt", "jsonld": "https://wpnews.pro/news/how-to-find-safe-mcp-servers-for-your-ai-coding-assistant-and-why-most-lie.jsonld"}}