MCP Trust register — independent MCP-server safety scoring
An independent register of MCP servers, scored safety-first. For MCP servers, "safety" is not chatbot jailbreak-resistance — it's MCP-specific security: what a server can do if hijacked, whether its tool descriptions hide instructions, and whether dangerous tools are reachable without auth. This is an early first cohort; coverage grows as we scan more servers.
Human view: hlido.eu/mcp/ · Machine-readable: /data/mcp-register.json
What we score#
Each server's advertised tools (names, descriptions, input schemas — fetched via tools/list) are analyzed for four red-flag families:
| Family | What it catches |
|---|---|
| Tool poisoning / injection | Hidden or override instructions embedded in a tool description ("ignore previous…", "don't tell the user…", exfiltration hints, invisible/bidi unicode) — the canonical MCP attack. |
| Dangerous capabilities | Tools that can execute shells / code, write or delete files, egress data to arbitrary endpoints, read secrets/env, or mutate databases — the blast radius if the server is hijacked. |
| Auth posture | A mutating / dangerous server reachable with no authentication is elevated. |
| Scope | How many mutating tools a server exposes (broader blast radius). |
Tiers#
Findings deduct from a starting score to a published tier:
| Tier | Meaning |
|---|---|
SAFE | No high-severity red-flags observed in the advertised surface. |
CAUTION | Some capability breadth or minor flags — review before wiring in. |
RISKY | Multiple high-severity capabilities and/or weak auth posture. |
DANGEROUS | Critical red-flags (e.g. tool-poisoning, unauth + dangerous tools). |
not_scanned | Server failed to start or advertised zero tools — not scored as safe (0 findings ≠ safe when nothing was tested). |
Evidence-first, never a bare number. The register publishes the tier and the exact red-flag findings (which tool, which family, why) so the verdict is inspectable. Methodology is open: /methodology/.
Register data#
| Endpoint | What it is |
|---|---|
/data/mcp-register.json | The register: count, counts_by_tier, poisoning_count, and one items[] entry per server (security_tier, security_score, tool_poisoning_detected, dangerous_capabilities[], no_auth, tools_advertised, as_of). |
/data/mcp-register/{slug}.json | Full per-server evidence — every finding with its tool, severity, and reason. |
curl -s https://hlido.eu/data/mcp-register.json | jq '.counts_by_tier, .items[0]'
Scope & honesty#
- This is static analysis of the advertised tool surface — it flags structural risk, not a runtime exploit proof. A SAFE tier means no red-flags in what the server advertises, not a guarantee.
- The cohort is small and early; absence from the register means "not yet scanned", not "unsafe".
- Independence is the point — Hlido is not a funnel for a paid defense product, and no vendor pays for a score.
On the roadmap: on-demand scan#
A dev-facing on-demand scan — name an MCP server you're about to install and get an independent red-flag verdict at the point of use — is the next phase. It is not live yet; today the register covers the scanned cohort. Watch the changelog for when it ships.
MCP safety vs agent safety#
MCP-server safety (this register) is distinct from the per-agent safety_probe dimension, which measures an LLM-backed agent's jailbreak / manipulation resistance. Different threat model, different surface.