I scanned 10 MCP servers – here's what agents can't know before connecting A new tool called mcp-trustcard scans Model Context Protocol (MCP) servers before agents connect, grading them on installability, protocol compliance, tool schema validity, destructive capabilities, authentication, secret exposure, and latency. The project aims to improve security and quality verification in the rapidly growing MCP ecosystem, where clients currently connect blind to servers that may have exploitable weaknesses. The "npm audit" for MCP servers. A trust card for every Model Context Protocol server — before you connect. Every day, agents connect to MCP servers they've never met. They don't know whether the server installs, whether it speaks the current protocol, whether its tool schemas are valid, whether it exposes destructive tools, or whether it leaks secrets — until something breaks or something leaks. mcp-trustcard gives every MCP server a public trust card in one command: npx mcp-trustcard @modelcontextprotocol/server-github MCP Trustcard: github-mcp-server @modelcontextprotocol/server-github ──────────────────────────────────────────────────────────────────────── Installability PASS @modelcontextprotocol/server-github@2025.4.8 Protocol handshake PASS github-mcp-server 0.6.2 · 717ms Tool schema validity PASS 26 tools, all schemas valid Destructive capabilities PASS no destructive verbs; 11 write/exec tool s Authentication PASS no auth required to list tools Secret exposure UNKNOWN no secrets seen in this run single probe Protocol version WARN negotiated 2024-11-05 latest is 2025-06-18 Latency & failure rate PASS 1ms avg, 0% failure ──────────────────────────────────────────────────────────────────────── Score 86/100 The MCP registry is growing fast. Security and quality verification are not. Recent research has found widespread exploitable weaknesses across MCP servers — tool poisoning, prompt injection via tool descriptions, shadowing, and secret leakage. Clients currently connect blind. This project is a public ranking surface . If maintainers argue with a score, that's traction. If they ask how to improve, that's a product. If teams want private scanning, that's a company. | Check | Pts | What it probes | |---|---|---| | Installability | 15 | Does the package resolve and install from npm? | | Protocol handshake | 25 | Does it respond to initialize over stdio JSON-RPC? | | Tool schema validity | 15 | Are tools/list schemas well-formed JSON Schema? | | Destructive capabilities | 10 | Does it expose delete/drop/kill/overwrite tools? | | Authentication | 10 | Is auth required, absent, or unknown? | | Secret exposure | 10 | Do tool descriptions or errors leak secret-shaped strings? | | Protocol version | 10 | Does it negotiate the latest protocol version? | | Latency & failure rate | 5 | Handshake latency + 3-ping failure rate | Each check returns PASS / WARN / FAIL / UNKNOWN and a partial-credit score. The total is the headline number. Scanned 2026-07-14. Servers are probed as a naive client — npx -y