How the MCP Security Index grades servers
The grade answers one question: if this server were compromised or misinstructed, how much could it do? That is its blast radius, measured from the tools it declares. It is not a vulnerability assessment, not a penetration test, and not a judgment of the vendor.
Read-only by construction
AxioRank enumerates each server the way a client would (an MCP handshake, then a list of its tools, resources, and prompts) and never calls a tool. The scan reads what a server declares; it does not exercise it. Servers that gate even the handshake behind OAuth are listed as unreachable rather than graded.
What drives the grade
The grade is computed from the structure of the declared surface, using the tool names and input schemas:
- Capability by name. A tool named to execute, delete, or write (for example delete_file, run_command) declares a high-impact capability. A read-only name declares none.
- Credential solicitation. A tool whose input schema asks for a password, token, or key is a place a secret would flow.
- Tool shadowing. Two tools sharing a name let one impersonate the other.
- Missing provenance. A tool with no description cannot be audited against intent.
- Hardcoded secrets. A credential embedded in the declared surface.
These combine into a 0 to 100 score with diminishing returns, so a broad surface scores higher than a narrow one without a single tool saturating it.
What is deliberately excluded
Keyword matches in tool descriptions (an injection-style phrase, a mention of payments, a number that looks like a card) are shown on each server page as informational advisories, but they do not drive the grade. Those detectors are built to score live tool-call arguments; on static descriptions they misfire, so a read-only documentation server is never graded as if it moved money.
Grade bands
| Grade | Score | Meaning |
|---|---|---|
| A | 0 to 19 | Minimal. Read-only or near read-only surface. |
| B | 20 to 39 | Limited. A small number of write-style tools. |
| C | 40 to 59 | Moderate. Meaningful write or transfer capability. |
| D | 60 to 79 | Broad. Many high-impact tools, or execution. |
| F | 80 to 100 | Extensive. A wide, high-privilege surface. |
Right of reply
Grades are algorithmic and reproducible. If you maintain a server and believe its grade is wrong, or you have shipped a change, claim your listing or request a re-scan. Every server page links back here.
Govern the MCP servers your agents use
A grade tells you the blast radius. AxioRank lets you contain it: allowlist tools, hold risky calls for approval, and keep a signed audit trail.
Start free