Open-source scanner checks MCP servers before an AI agent connects
MCP Trust Checker is an open-source tool that scans MCP servers used by AI agents and gives them a trust grade from A to F. It runs locally without an account, internet connection, AI model, or API key, so each scan uses no paid AI tokens. It looks for , combinations of tools that could leak , dangerous command execution in source code, known security flaws, and other risks.
The same input always produces the same score, with the reason for every deduction, the problem location, supporting evidence, and a suggested fix. One command can discover servers configured in , Claude Code, Cursor, Windsurf, Continue, and VS Code; it can also inspect local code, s, and live s. A pin-and-compare feature records approved and warns when they later change without approval.
Teams can add the scanner to automated development checks and reject an MCP server below a chosen score or grade. The project reports 100% precision and recall on 64 labeled servers, but this is a small, project-maintained test set that still needs broader independent validation.
Key points
- One command discovers and scans MCP servers configured in several popular AI development tools.
- Local scans require no AI model, API key, or paid tokens.
- Checks cover , private-data leak paths, dangerous code execution, and silent tool changes.
- Reports include an A–F grade, evidence, problem locations, and suggested fixes.
- Automated checks can block servers that fall below a chosen score or grade.