MCP Server Risk Auditor

MCP Server Risk Auditor checks MCP server manifests, registry entries, package metadata, or tool lists for observable security, permission, and prompt-injection risk signals. Give it public HTTPS manifest URLs, paste JSON directly, or mix both, and it returns one static risk audit row per input with scores, findings, risky tools, evidence, and recommended actions.

The actor does not run the MCP server. It does not install packages, execute commands, call tools, or treat manifest text as trusted instructions.

What It Does

• Audits MCP server metadata from manifestUrls, manifestJsonItems, manifestUrl, or manifestJson.
• Scores permission, prompt-injection, data-exfiltration, and execution risk.
• Flags risky tools such as shell execution, filesystem access, arbitrary URL fetching, token handling, browser control, or database access.
• Detects manifest text that looks like prompt-injection or model-steering instructions.
• Produces evidence-backed findings and recommended next steps for human review.
• Supports recurring approval pipelines with datasetId and runId.

Best For

Security teams can triage MCP servers before adding them to an internal allowlist.

AI platform teams can review third-party MCP tools before making them available to agents.

Developer tooling teams can schedule recurring audits of approved MCP manifests and compare risk changes over time.

Vendor-risk and procurement teams can turn MCP metadata into a repeatable intake dataset.

Input

Provide one or more URLs, one or more JSON items, or both.

Field	Type	Description
manifestUrls	array	Public HTTPS URLs to MCP manifests, registry entries, package metadata files, or tool lists.
manifestJsonItems	array	Pasted manifest or tool-list JSON objects for private, offline, or internal reviews.
accessToken	string	Optional secret Bearer token for protected manifest URLs or authenticated MCP metadata endpoints.
datasetId	string	Optional existing dataset to append results to.
runId	string	Optional upstream approval, vendor review, or monitoring workflow ID copied into output rows.

Each URL or JSON object becomes one dataset row. Duplicate URLs and duplicate JSON objects are skipped. A run currently processes up to 50 input items.

For API compatibility, the actor still accepts legacy manifestUrl and manifestJson fields, but the Console form only shows the batch fields above.

Example Input

{
  "manifestUrls": [
    "https://registry.modelcontextprotocol.io/v0/servers",
    "https://registry.npmjs.org/@modelcontextprotocol/server-filesystem"
  ],
  "manifestJsonItems": [
    {
      "name": "example-filesystem-mcp",
      "transport": "stdio",
      "command": "node",
      "args": ["server.js"],
      "tools": [
        {
          "name": "read_file",
          "description": "Reads arbitrary files from the local filesystem path provided by the user.",
          "inputSchema": {
            "type": "object",
            "properties": {
              "path": { "type": "string" }
            }
          }
        }
      ]
    }
  ],
  "runId": "security-review-2026-05"
}

Output

Each input item writes one dataset row for the audited MCP server metadata.

{
  "serverName": "example-filesystem-mcp",
  "inputIndex": 0,
  "sourceType": "json",
  "auditStatus": "success",
  "overallRiskScore": 47,
  "overallRiskLevel": "high",
  "permissionRiskScore": 70,
  "promptInjectionRiskScore": 0,
  "dataExfiltrationRiskScore": 18,
  "executionRiskScore": 100,
  "toolCount": 2,
  "highRiskToolCount": 1,
  "riskyTools": [
    {
      "name": "run_shell_command",
      "riskScore": 45,
      "riskLevel": "high",
      "categories": ["execution"],
      "findingCount": 1
    }
  ],
  "findings": [
    {
      "severity": "critical",
      "category": "execution",
      "scope": "tool",
      "toolName": "run_shell_command",
      "message": "Tool or manifest text references shell or arbitrary command execution."
    }
  ],
  "recommendedActions": [
    "Require human security review before allowing this MCP server in production or shared agent environments."
  ],
  "auditedAt": "2026-05-15T09:00:00.000Z",
  "runId": "security-review-2026-05"
}

API Usage

curl -X POST "https://api.apify.com/v2/acts/trovevault~mcp-server-risk-auditor/runs" \
  -H "Authorization: Bearer $APIFY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "manifestUrls": ["https://example.com/mcp-server.json"],
    "runId": "security-review-2026-05"
  }'

Key Fields

Field	Meaning
auditStatus	success, authorization_required, or error.
errorCategory	Machine-readable reason when metadata could not be audited.
inputIndex	Zero-based position of the input item after URLs and JSON items are combined and deduplicated.
overallRiskScore	Static metadata score from 0 to 100. Higher means more visible risk signals.
overallRiskLevel	low, medium, high, critical, or unknown when no metadata was available to score.
permissionRiskScore	Risk from broad file, browser, network, database, or system access claims.
promptInjectionRiskScore	Risk from manifest or tool text that may steer model behavior unsafely.
dataExfiltrationRiskScore	Risk from credential, token, secret, upload, webhook, or outbound data language.
executionRiskScore	Risk from shell, subprocess, code execution, package install, or local command launch signals.
riskyTools	Tool-level summaries sorted by risk.
findings	Evidence-backed risk findings for human review.
recommendedActions	Practical approval, sandboxing, and remediation steps.

Safety Model

This actor performs static inspection only. For URL inputs, it fetches JSON over HTTPS with a timeout, response-size limit, redirect limit, and local/private network blocking. It rejects embedded URL credentials, local files, non-HTTPS URLs, localhost, private IP ranges, and hostnames that resolve to private addresses. If accessToken is supplied, it is sent only as a Bearer authorization header and is never written to the dataset.

Manifest content is treated as hostile data. The actor parses metadata, scans text, and records evidence. It does not execute code snippets, install dependencies, call MCP tools, open shells, or send manifest content to an LLM.

Limitations

The actor reports observable metadata risk signals, not a full security certification. A low score means the supplied manifest did not expose strong static risk indicators. It does not prove the server runtime is safe.

The result depends on the completeness and honesty of the manifest or registry entry. Hidden runtime behavior, unpublished tools, malicious package code, dependency vulnerabilities, and server-side authorization bugs require separate review.

Some MCP ecosystems use different manifest shapes. If no tools are found, the actor returns a warning and still audits the available metadata.

FAQ

Can I audit private MCP servers?

Yes. Paste the manifest or tool list into manifestJson instead of using a URL.

Why did my MCP URL return HTTP 401?

Many remote MCP endpoints are protected by OAuth or another authorization layer. If the endpoint does not expose a public manifest, the actor returns auditStatus: "authorization_required" and overallRiskLevel: "unknown" instead of pretending the server is low risk. Provide an authorized accessToken or paste the manifest/tool list into manifestJson.

Can I monitor approved servers over time?

Yes. Schedule the actor with a manifest URL and append results to a shared datasetId, or keep a stable runId from your own approval workflow.

Is a high score always bad?

Not always. Some useful MCP servers legitimately need filesystem, browser, database, or shell access. A high score means the server needs stronger sandboxing, clearer permissions, and human approval before use in sensitive environments.

Changelog

• 0.1: Initial TroveVault release candidate with static MCP manifest risk scoring, URL and JSON inputs, tool-level findings, evidence, and safe URL fetching.