# MCP Server Registry and Security Scorer (`george.the.developer/mcp-server-registry-scorer`) Actor Profile MCP servers from the official registry, enrich package metadata, and score security risk for agent builders. - **URL**: https://apify.com/george.the.developer/mcp-server-registry-scorer.md - **Developed by:** [George Kioko](https://apify.com/george.the.developer) (community) - **Categories:** MCP servers, Developer tools, AI - **Stats:** 1 total users, 1 monthly users, 0.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## MCP Server Registry and Security Scorer MCP servers exploded to 22K+. Knowing which are safe to wire into an agent stack is your problem now. This Actor is a Standby API for builders who need MCP server profiles and deterministic risk scores over HTTP. It reads the official Model Context Protocol registry, enriches each server with npm and GitHub metadata when available, then returns a normalized profile or a security scan result that can be stored in Apify datasets. Use it when a directory UI is not enough. Agent platforms, enterprise AI governance teams, dev tool teams, and marketplaces can call this Actor from admission pipelines, allowlist builders, dashboard jobs, or security feeds. ### Quick start Look up one server profile: ```bash curl "https://george-the-developer--mcp-server-registry-scorer.apify.actor/server?name=io.github.Digital-Defiance/mcp-filesystem" ```` Run a security scan: ```bash curl "https://george-the-developer--mcp-server-registry-scorer.apify.actor/scan?name=io.github.Digital-Defiance/mcp-filesystem" ``` For high volume bulk scans, add `include_github=false` to avoid unauthenticated GitHub rate limits, or set `GITHUB_TOKEN` on the Actor for higher limits. ### Endpoints | Method | Path | Purpose | |---|---|---| | GET | `/` | Service info | | GET | `/health` | Health status | | GET | `/server?name=` | One enriched MCP server profile | | GET | `/list?limit=&offset=&sort=` | Registry page with enrichment | | GET | `/scan?name=` | One risk scan with profile | | POST | `/scan/bulk` | Scan up to 50 servers with `{ "servers": [...] }` | ### Profile schema Each profile row is pushed to the default Apify dataset and returned by the API. ```json { "server_id": "io.github.Digital-Defiance/mcp-filesystem", "name": "@ai-capabilities-suite/mcp-filesystem", "description": "Advanced filesystem operations with strict security boundaries for AI agents", "transport": "stdio", "repository_url": "https://github.com/Digital-Defiance/ai-capabilities-suite", "homepage_url": "https://github.com/Digital-Defiance/mcp-filesystem", "registry_source": "modelcontextprotocol", "registry_url": "https://registry.modelcontextprotocol.io/servers/io.github.Digital-Defiance%2Fmcp-filesystem", "version": "0.1.9", "license": "MIT", "language": "typescript", "github_stars": 3, "github_open_issues": 3, "github_last_commit": "2026-04-08T18:05:37.000Z", "github_archived": false, "npm_weekly_downloads": 85, "npm_first_published": "2025-12-09T05:50:22.757Z", "tools_count": null, "resources_count": null, "prompts_count": null, "fetched_at": "2026-05-11T14:46:54.158Z" } ``` ### Scan schema Scans add deterministic risk scoring. No LLM calls are used. ```json { "server_id": "io.github.Digital-Defiance/mcp-filesystem", "scanned_at": "2026-05-11T14:46:54.161Z", "risk_score": 5, "risk_band": "low", "signals": { "no_repository_link": false, "github_archived": false, "stale_no_commit_90d": false, "unknown_publisher": false, "no_license": false, "permissive_capabilities": false, "tool_count_anomaly": false, "registered_but_unbuilt": false, "single_maintainer_npm": true, "advisory_match": false }, "explanation": "Risk is low because this server has single npm maintainer. Review the linked package and repository metadata before adding it to a production agent allowlist." } ``` ### Architecture ```mermaid flowchart LR A[Input server name or list page] --> B[Fetcher selection] B --> C[Official MCP registry] B --> D[npm metadata and downloads] B --> E[GitHub repository API] C --> F[Normalize profile] D --> F E --> F F --> G[Risk scoring] G --> H[HTTP response] F --> I[Apify dataset] G --> I ``` ### Pricing | Event | Price | When charged | |---|---:|---| | Actor start | $0.50 | One paid Standby request or batch run | | Server profile | $0.025 | Each enriched MCP server profile returned | | Security scan | $0.15 | Each MCP server scanned for risk signals | Charges run only after real work succeeds. Health checks, readiness probes, and known test payloads return mock data without PPE charges. ### Positioning Glama is useful when a person wants a browsable MCP directory. Smithery is useful when teams want registry and install workflows. This Actor is the API layer for builders who want server profiles plus risk scores via HTTP, not a directory UI. It fits production pipelines where you need a JSON answer that can be logged, diffed, joined with internal policy, or used to reject a server before it reaches an agent runtime. ### Use cases 1. Agent platform admission control: scan MCP submissions before listing them. 2. Enterprise AI governance allowlists: keep an approved server list with evidence fields. 3. Dev tool risk dashboards: rank MCP dependencies by metadata risk. 4. MCP server marketplaces: add server trust labels to listings. 5. Security researcher feeds: monitor new registry entries with missing source, stale repos, or advisories. ### GitHub rate limits Unauthenticated GitHub API calls are limited. This Actor uses in memory caching for the Standby container lifetime and supports `include_github=false` for bulk operations. For better enrichment on bulk scans, set `GITHUB_TOKEN` as an Actor environment variable. ### FAQ **Which registries are covered?**\ V1 uses the official MCP registry as the primary source. It can enrich packages that appear in registry metadata and package names that resolve on npm. **How is the risk score calculated?**\ The rubric is deterministic. Missing repository link, archived repo, stale commits, missing license, unusual tool count, single npm maintainer, unbuilt registry entry, unknown publisher, and advisory match add weighted points. **What does a high score mean?**\ It means the public metadata has risk signals that deserve review. It is not a malware verdict. **Can I avoid GitHub rate limits?**\ Yes. Use `include_github=false` for bulk calls, or set `GITHUB_TOKEN` on the Actor. **Do you refund health checks or failed probes?**\ Health checks and test payloads are short circuited and are not billed. Failed real work is not charged by the Actor code. **How do I contact the maintainer?**\ Open the Actor issue tab on Apify or contact George Kioko at `george.the.developer` on Apify. # Actor input Schema ## `mode` (type: `string`): Batch mode to run. Standby mode ignores this unless a batch input is supplied. ## `name` (type: `string`): MCP registry server name or npm package name. ## `servers` (type: `array`): Server names for scan-bulk mode. Maximum 50. ## `limit` (type: `integer`): Number of registry profiles to return in list mode. ## `offset` (type: `integer`): Zero-based registry offset for list mode. ## `sort` (type: `string`): Local sort after enrichment. ## `includeGithub` (type: `boolean`): Fetch GitHub repo metadata when a repository URL is available. Set false to avoid GitHub rate limits. ## Actor input object example ```json { "mode": "server", "name": "io.github.Digital-Defiance/mcp-filesystem", "limit": 25, "offset": 0, "sort": "popular", "includeGithub": true } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("george.the.developer/mcp-server-registry-scorer").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("george.the.developer/mcp-server-registry-scorer").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call george.the.developer/mcp-server-registry-scorer --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=george.the.developer/mcp-server-registry-scorer", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "MCP Server Registry and Security Scorer", "description": "Profile MCP servers from the official registry, enrich package metadata, and score security risk for agent builders.", "version": "1.0", "x-build-id": "R0vsDrjdc3TkhhgCH" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/george.the.developer~mcp-server-registry-scorer/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-george.the.developer-mcp-server-registry-scorer", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/george.the.developer~mcp-server-registry-scorer/runs": { "post": { "operationId": "runs-sync-george.the.developer-mcp-server-registry-scorer", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/george.the.developer~mcp-server-registry-scorer/run-sync": { "post": { "operationId": "run-sync-george.the.developer-mcp-server-registry-scorer", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "mode": { "title": "Mode", "enum": [ "server", "list", "scan", "scan-bulk" ], "type": "string", "description": "Batch mode to run. Standby mode ignores this unless a batch input is supplied.", "default": "server" }, "name": { "title": "Server name", "type": "string", "description": "MCP registry server name or npm package name.", "default": "io.github.Digital-Defiance/mcp-filesystem" }, "servers": { "title": "Servers", "type": "array", "description": "Server names for scan-bulk mode. Maximum 50.", "items": { "type": "string" } }, "limit": { "title": "Limit", "minimum": 1, "maximum": 100, "type": "integer", "description": "Number of registry profiles to return in list mode.", "default": 25 }, "offset": { "title": "Offset", "minimum": 0, "type": "integer", "description": "Zero-based registry offset for list mode.", "default": 0 }, "sort": { "title": "Sort", "enum": [ "popular", "recent", "name" ], "type": "string", "description": "Local sort after enrichment.", "default": "popular" }, "includeGithub": { "title": "Include GitHub enrichment", "type": "boolean", "description": "Fetch GitHub repo metadata when a repository URL is available. Set false to avoid GitHub rate limits.", "default": true } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```