RegulatorySignals
MCP Server Trust Registry

Get your MCP server certified in 48 hours

10 MCP-specific security rules. Signed trust cert. Public registry listing. Enterprise security teams use our allowlist as the source of truth for approved MCP servers.

Get Audited — $499Browse registry →

$99/mo monitoring add-on · npm or GitHub URL · Badge for your README · Prior art: Snyk, Trail of Bits

10 MCP vulnerability rules

OWASP LLM Top 10 (2025) aligned · CWE mapped

mcp-001
Prompt injection sinkCRITICAL

CWE-1336 · LLM01

mcp-002
Command injection / execCRITICAL

CWE-78

mcp-003
SSRF in fetch toolsCRITICAL

CWE-918 · LLM06

mcp-004
Secret leak via envCRITICAL

CWE-200 · LLM02

mcp-005
Capability escalationMEDIUM

CWE-269 · LLM06

mcp-006
Missing rate-limit / timeoutMEDIUM

CWE-400

mcp-007
TOCTOU race in file toolsHIGH

CWE-367

mcp-008
Missing auth on resources/listHIGH

CWE-862 · LLM06

mcp-009
Zombie subprocess on closeHIGH

CWE-404

mcp-010
Unverified manifest signingMEDIUM

CWE-345

Frequently asked questions

What does an MCP server audit cover?

10 rules covering: prompt injection in tool descriptions (mcp-001), command injection via exec/spawn (mcp-002), SSRF in fetch-style tools (mcp-003), secret leak via env-readback (mcp-004), capability escalation (mcp-005), missing rate-limit/timeout (mcp-006), TOCTOU race in file tools (mcp-007), missing auth on resources/list (mcp-008), zombie subprocess on close (mcp-009), and unverified manifest signing (mcp-010). Mapped to OWASP LLM Top 10 (2025) and CWE.

How long does the MCP audit take?

Source fetch and rule analysis complete in under 10 minutes. You receive a signed certificate JSON and public registry listing within 48 hours after any manual review pass.

What does the signed certificate include?

A tamper-evident HMAC-SHA256 certificate with: MCP server slug, npm package, version audited, security score (0-100), trust grade (gold/silver/bronze/none), issuance date, and a machine-readable endpoint at /api/mcp-cert/{slug} for IDE badge integration.

How does $99/month monitoring work?

When your npm package publishes a new version, we detect the version bump and automatically re-run all 10 security rules. New findings trigger a notification and update your registry score. The cert renews on each clean re-audit pass.

Enterprise teams are building allowlists now

Security teams at companies deploying Claude with MCP use our registry to manage approved server lists. Get your server certified before they build the allowlist without you.

Submit for audit — $499