MCP Security Index

How the MCP Security Index grades servers

The grade answers one question: if this server were compromised or misinstructed, how much could it do? That is its blast radius, measured from the tools it declares. It is not a vulnerability assessment, not a penetration test, and not a judgment of the vendor.

Read-only by construction

AxioRank enumerates each server the way a client would (an MCP handshake, then a list of its tools, resources, and prompts) and never calls a tool. The scan reads what a server declares; it does not exercise it. Servers that gate even the handshake behind OAuth are listed as unreachable rather than graded.

What drives the grade

The grade is computed from the structure of the declared surface, using the tool names and input schemas:

  • Capability by name. A tool named to execute, delete, or write (for example delete_file, run_command) declares a high-impact capability. A read-only name declares none.
  • Credential solicitation. A tool whose input schema asks for a password, token, or key is a place a secret would flow.
  • Tool shadowing. Two tools sharing a name let one impersonate the other.
  • Missing provenance. A tool with no description cannot be audited against intent.
  • Hardcoded secrets. A credential embedded in the declared surface.

These combine into a 0 to 100 score with diminishing returns, so a broad surface scores higher than a narrow one without a single tool saturating it.

What is deliberately excluded

Keyword matches in tool descriptions (an injection-style phrase, a mention of payments, a number that looks like a card) are shown on each server page as informational advisories, but they do not drive the grade. Those detectors are built to score live tool-call arguments; on static descriptions they misfire, so a read-only documentation server is never graded as if it moved money.

Grade bands

GradeScoreMeaning
A0 to 19Minimal. Read-only or near read-only surface.
B20 to 39Limited. A small number of write-style tools.
C40 to 59Moderate. Meaningful write or transfer capability.
D60 to 79Broad. Many high-impact tools, or execution.
F80 to 100Extensive. A wide, high-privilege surface.

Right of reply

Grades are algorithmic and reproducible. If you maintain a server and believe its grade is wrong, or you have shipped a change, claim your listing or request a re-scan. Every server page links back here.

Govern the MCP servers your agents use

A grade tells you the blast radius. AxioRank lets you contain it: allowlist tools, hold risky calls for approval, and keep a signed audit trail.

Start free