MCP Trust Kit
Deterministic surface-risk scoring for MCP servers.
MCP Trust Kit scans a local MCP server over stdio, discovers its tools, runs deterministic
checks for protocol and tool hygiene plus risky exposed capabilities, calculates a score from
0..100, and emits terminal, JSON, and SARIF output that fits cleanly into CI. JSON and SARIF
include an explicit scan_timestamp field for downstream consumers.
MCP Trust Kit scores surface risk, not business intent.
A low score means the exposed tool surface deserves review. It does not mean a server is malicious.
A high score means fewer deterministic findings. It does not mean a server is safe.
Why
MCP servers expose tools to agents. That makes two questions worth automating before adoption:
- is the server metadata and schema surface clear enough to review?
- does the server expose capabilities with high blast radius?
MCP Trust Kit is intentionally narrow. It is not a security platform, a gateway, a hosted
service, or a certification authority. It is a deterministic scanner with stable output.
What It Checks
Today the scanner penalizes two broad classes of issues:
- protocol and tool hygiene
duplicate tool names, missing descriptions, vague descriptions, weak schemas, missing schema
type, arbitrary top-level properties, optional critical fields
- risky exposed capabilities
command execution, filesystem mutation, network request primitives, download-and-execute patterns
It does not score:
- business intent
- runtime isolation and deployment controls
- human approval flows outside the MCP server surface
- exploitability claims
Quickstart Local
Scan the included insecure demo server:
python -m venv .venv
source .venv/bin/activate
pip install -e .[dev]
mcp-trust scan --cmd python examples/insecure-server/server.py
Generate JSON and SARIF and enforce a score gate:
mcp-trust scan \
--min-score 80 \
--json-out mcp-trust-report.json \
--sarif mcp-trust-report.sarif \
--cmd python examples/insecure-server/server.py
The scanner launches --cmd directly without a shell. In practice that means python, npx,
uvx, or a compiled binary can all work, as long as you pass the real executable name and args.
Windows (PowerShell)
python -m venv .venv
.\.venv\Scripts\Activate.ps1
pip install -e .[dev]
.\.venv\Scripts\mcp-trust scan --cmd .\.venv\Scripts\python examples\insecure-server\server.py
Running Real MCP Servers
Validated examples are documented in docs/validated-servers.md.
Safe-ish public case:
mcp-trust scan --cmd npx -y @modelcontextprotocol/server-memory@2026.1.26
Risky but legitimate public case:
mkdir -p .tmp-mcp-fs
mcp-trust scan --cmd npx -y @modelcontextprotocol/server-filesystem@2026.1.14 .tmp-mcp-fs
On Windows, use npx.cmd instead of npx when needed.
GitHub Actions Quickstart
Drop this workflow into your repository:
name: MCP Trust Scan
on:
pull_request:
workflow_dispatch:
permissions:
contents: read
security-events: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run MCP Trust Kit
uses: aak204/MCP-Trust-Kit@v0.5.0
with:
cmd: python path/to/your/s
... [View full README on GitHub](https://github.com/aak204/MCP-Trust-Kit#readme)
