Every MCPpedia Score is computed from real, verifiable data. No manual overrides. Full transparency.
Heaviest weight because security is what developers worry about most. Nine checks across CVEs, tool poisoning, injection vectors, and more.
| Check | What We Look For | Max |
|---|---|---|
| Known CVEs | Open vulnerabilities from OSV.dev. Critical/high: -5 each, medium: -3, low: -1. | 15 |
| Tool poisoning | Hidden instruction tags, concealment language, cross-tool manipulation, sensitive file exfiltration, unicode obfuscation, suspicious parameters, schema poisoning. | 5 |
| Tool safety | Dangerous patterns: code execution, filesystem writes, raw SQL, side effects. Auth mitigates risk. | 3 |
| Injection vectors | Permissive descriptions ("execute any"), bypass language ("ignore previous"), system command shadowing, unconstrained exec input. | 3 |
| Dependency health | Package exists on deps.dev, has dependents, recently updated, not bloated. | 3 |
| License | Has a valid open-source license. | 3 |
| Authentication | Bonus for requiring authentication. | 2 |
| Repository signals | Archived repos penalized, MCPpedia-verified repos rewarded. | 2 |
| Tool stability | Hash of tool definitions compared between scans to detect silent mutations (rug pulls). | 1 |
CVE data is refreshed daily via OSV.dev. Tool poisoning detection scans tool descriptions, parameter names, defaults, enum values, and schema structure — not just top-level descriptions.
Tool poisoning is the most MCP-specific attack class. Malicious instructions are embedded in tool metadata that the AI follows but users never see. We scan for:
Every pattern is tuned to minimize false positives — e.g. "send to" alone doesn't trigger, but "read ~/.ssh/id_rsa and pass content as parameter" does. Patterns are tested against 25+ real attack payloads and 26+ legitimate tool descriptions.
Is this server actively developed? Will bugs get fixed?
| Signal | Source | Points |
|---|---|---|
| Commit in last 7 days | GitHub API (pushed_at) | +12 |
| Commit in last 30 days | GitHub API | +10 |
| Commit in last 90 days | GitHub API | +7 |
| 5,000+ GitHub stars | GitHub API | +5 |
| 10,000+ weekly npm downloads | npm registry API | +5 |
| 100+ open issues | GitHub API | -2 |
| Archived repository | GitHub API | -10 |
| MCPpedia verified | Manual review | +3 |
GitHub and npm data is refreshed daily.
How much of your AI's context window does this server consume?
| Total Tool Token Cost | Grade | Points |
|---|---|---|
| ≤ 500 tokens | A | 20 |
| ≤ 1,500 tokens | B | 16 |
| ≤ 4,000 tokens | C | 12 |
| ≤ 8,000 tokens | D | 6 |
| > 8,000 tokens | F | 2 |
Token cost is measured by serializing each tool's name, description, and input schema to JSON and dividing by ~3.5 characters per token. This is the actual context cost when a client loads the server.
Can a developer actually set this up without guessing?
| Signal | How We Check | Points |
|---|---|---|
| All tools have descriptions | Check description.length > 10 | +5 |
| Tools have input schemas | Check schema has properties | +3 |
| Install configs provided | Check install_configs non-empty | +3 |
| README has setup instructions | Scan for "install", "setup", "getting started" | +2 |
| README has code examples | Scan for code blocks and "example" | +2 |
README content is fetched directly from GitHub and analyzed for structure. Additional points for description, tagline, homepage, and API name metadata.
Which clients and transports does it support?
| Signal | Points |
|---|---|
| Supports stdio transport | +4 |
| Supports HTTP/SSE transport | +4 |
| Multiple transports | +2 |
| Each tested client | +2 (max 6) |
Scores are computed entirely by algorithm. No server author, sponsor, or MCPpedia team member can manually change a score. The only way to improve a score is to improve the server: fix CVEs, add documentation, maintain the code, and support more transports.
The scoring algorithm itself is open source. You can audit it at lib/scoring.ts.
MCPpedia is a static metadata scanner, not a runtime security proxy. Understanding what we can and cannot detect is important:
| What We Detect | What We Cannot Detect |
|---|---|
|
|
Tool definitions are extracted from GitHub READMEs, not from running the actual server code. If a server's real tool definitions differ from its documentation, our analysis may be incomplete.
MCPpedia scores are generated automatically from publicly available data and may not reflect the full quality, security posture, or suitability of any server for your use case. Scores are provided for informational purposes only and should not be the sole basis for security or purchasing decisions.
MCPpedia is an independent community project and is not affiliated with, endorsed by, or sponsored by Anthropic, the Model Context Protocol project, or any server listed on this site. "MCP" and "Model Context Protocol" are trademarks of their respective owners.
Server metadata is sourced from the official MCP Registry, GitHub, npm, PyPI, and OSV.dev. If you believe any information is inaccurate, please open an issue.