Docs / Reference / MCP Trust register

MCP Trust register — independent MCP-server safety scoring

An independent register of MCP servers, scored safety-first. For MCP servers, "safety" is not chatbot jailbreak-resistance — it's MCP-specific security: what a server can do if hijacked, whether its tool descriptions hide instructions, and whether dangerous tools are reachable without auth. This is an early first cohort; coverage grows as we scan more servers.

Human view: hlido.eu/mcp/ · Machine-readable: /data/mcp-register.json

What we score#

Each server's advertised tools (names, descriptions, input schemas — fetched via tools/list) are analyzed for four red-flag families:

FamilyWhat it catches
Tool poisoning / injectionHidden or override instructions embedded in a tool description ("ignore previous…", "don't tell the user…", exfiltration hints, invisible/bidi unicode) — the canonical MCP attack.
Dangerous capabilitiesTools that can execute shells / code, write or delete files, egress data to arbitrary endpoints, read secrets/env, or mutate databases — the blast radius if the server is hijacked.
Auth postureA mutating / dangerous server reachable with no authentication is elevated.
ScopeHow many mutating tools a server exposes (broader blast radius).

Tiers#

Findings deduct from a starting score to a published tier:

TierMeaning
SAFENo high-severity red-flags observed in the advertised surface.
CAUTIONSome capability breadth or minor flags — review before wiring in.
RISKYMultiple high-severity capabilities and/or weak auth posture.
DANGEROUSCritical red-flags (e.g. tool-poisoning, unauth + dangerous tools).
not_scannedServer failed to start or advertised zero tools — not scored as safe (0 findings ≠ safe when nothing was tested).

Evidence-first, never a bare number. The register publishes the tier and the exact red-flag findings (which tool, which family, why) so the verdict is inspectable. Methodology is open: /methodology/.

Register data#

EndpointWhat it is
/data/mcp-register.jsonThe register: count, counts_by_tier, poisoning_count, and one items[] entry per server (security_tier, security_score, tool_poisoning_detected, dangerous_capabilities[], no_auth, tools_advertised, as_of).
/data/mcp-register/{slug}.jsonFull per-server evidence — every finding with its tool, severity, and reason.
curl -s https://hlido.eu/data/mcp-register.json | jq '.counts_by_tier, .items[0]'

Scope & honesty#

On the roadmap: on-demand scan#

A dev-facing on-demand scan — name an MCP server you're about to install and get an independent red-flag verdict at the point of use — is the next phase. It is not live yet; today the register covers the scanned cohort. Watch the changelog for when it ships.

MCP safety vs agent safety#

MCP-server safety (this register) is distinct from the per-agent safety_probe dimension, which measures an LLM-backed agent's jailbreak / manipulation resistance. Different threat model, different surface.