# MCP Server Risk Auditor (`trovevault/mcp-server-risk-auditor`) Actor Audits MCP server manifests for tool, permission, credential, prompt-injection, exfiltration, and execution risks. Export data, run via API, schedule and monitor runs, or integrate with other tools. - **URL**: https://apify.com/trovevault/mcp-server-risk-auditor.md - **Developed by:** [Trove Vault](https://apify.com/trovevault) (community) - **Categories:** MCP servers, Agents, AI - **Stats:** 1 total users, 0 monthly users, 0.0% runs succeeded, 1 bookmarks - **User rating**: No ratings yet ## Pricing from $0.85 / 1,000 mcp servers This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Since this Actor supports Apify Store discounts, the price gets lower the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## MCP Server Risk Auditor MCP Server Risk Auditor checks MCP server manifests, registry entries, package metadata, or tool lists for observable security, permission, and prompt-injection risk signals. Give it public HTTPS manifest URLs, paste JSON directly, or mix both, and it returns one static risk audit row per input with scores, findings, risky tools, evidence, and recommended actions. The actor does not run the MCP server. It does not install packages, execute commands, call tools, or treat manifest text as trusted instructions. ### What It Does - Audits MCP server metadata from `manifestUrls`, `manifestJsonItems`, `manifestUrl`, or `manifestJson`. - Scores permission, prompt-injection, data-exfiltration, and execution risk. - Flags risky tools such as shell execution, filesystem access, arbitrary URL fetching, token handling, browser control, or database access. - Detects manifest text that looks like prompt-injection or model-steering instructions. - Produces evidence-backed findings and recommended next steps for human review. - Supports recurring approval pipelines with `datasetId` and `runId`. ### Best For Security teams can triage MCP servers before adding them to an internal allowlist. AI platform teams can review third-party MCP tools before making them available to agents. Developer tooling teams can schedule recurring audits of approved MCP manifests and compare risk changes over time. Vendor-risk and procurement teams can turn MCP metadata into a repeatable intake dataset. ### Input Provide one or more URLs, one or more JSON items, or both. | Field | Type | Description | | --- | --- | --- | | `manifestUrls` | array | Public HTTPS URLs to MCP manifests, registry entries, package metadata files, or tool lists. | | `manifestJsonItems` | array | Pasted manifest or tool-list JSON objects for private, offline, or internal reviews. | | `accessToken` | string | Optional secret Bearer token for protected manifest URLs or authenticated MCP metadata endpoints. | | `datasetId` | string | Optional existing dataset to append results to. | | `runId` | string | Optional upstream approval, vendor review, or monitoring workflow ID copied into output rows. | Each URL or JSON object becomes one dataset row. Duplicate URLs and duplicate JSON objects are skipped. A run currently processes up to 50 input items. For API compatibility, the actor still accepts legacy `manifestUrl` and `manifestJson` fields, but the Console form only shows the batch fields above. ### Example Input ```json { "manifestUrls": [ "https://registry.modelcontextprotocol.io/v0/servers", "https://registry.npmjs.org/@modelcontextprotocol/server-filesystem" ], "manifestJsonItems": [ { "name": "example-filesystem-mcp", "transport": "stdio", "command": "node", "args": ["server.js"], "tools": [ { "name": "read_file", "description": "Reads arbitrary files from the local filesystem path provided by the user.", "inputSchema": { "type": "object", "properties": { "path": { "type": "string" } } } } ] } ], "runId": "security-review-2026-05" } ```` ### Output Each input item writes one dataset row for the audited MCP server metadata. ```json { "serverName": "example-filesystem-mcp", "inputIndex": 0, "sourceType": "json", "auditStatus": "success", "overallRiskScore": 47, "overallRiskLevel": "high", "permissionRiskScore": 70, "promptInjectionRiskScore": 0, "dataExfiltrationRiskScore": 18, "executionRiskScore": 100, "toolCount": 2, "highRiskToolCount": 1, "riskyTools": [ { "name": "run_shell_command", "riskScore": 45, "riskLevel": "high", "categories": ["execution"], "findingCount": 1 } ], "findings": [ { "severity": "critical", "category": "execution", "scope": "tool", "toolName": "run_shell_command", "message": "Tool or manifest text references shell or arbitrary command execution." } ], "recommendedActions": [ "Require human security review before allowing this MCP server in production or shared agent environments." ], "auditedAt": "2026-05-15T09:00:00.000Z", "runId": "security-review-2026-05" } ``` ### API Usage ```bash curl -X POST "https://api.apify.com/v2/acts/trovevault~mcp-server-risk-auditor/runs" \ -H "Authorization: Bearer $APIFY_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "manifestUrls": ["https://example.com/mcp-server.json"], "runId": "security-review-2026-05" }' ``` ### Key Fields | Field | Meaning | | --- | --- | | `auditStatus` | `success`, `authorization_required`, or `error`. | | `errorCategory` | Machine-readable reason when metadata could not be audited. | | `inputIndex` | Zero-based position of the input item after URLs and JSON items are combined and deduplicated. | | `overallRiskScore` | Static metadata score from 0 to 100. Higher means more visible risk signals. | | `overallRiskLevel` | `low`, `medium`, `high`, `critical`, or `unknown` when no metadata was available to score. | | `permissionRiskScore` | Risk from broad file, browser, network, database, or system access claims. | | `promptInjectionRiskScore` | Risk from manifest or tool text that may steer model behavior unsafely. | | `dataExfiltrationRiskScore` | Risk from credential, token, secret, upload, webhook, or outbound data language. | | `executionRiskScore` | Risk from shell, subprocess, code execution, package install, or local command launch signals. | | `riskyTools` | Tool-level summaries sorted by risk. | | `findings` | Evidence-backed risk findings for human review. | | `recommendedActions` | Practical approval, sandboxing, and remediation steps. | ### Safety Model This actor performs static inspection only. For URL inputs, it fetches JSON over HTTPS with a timeout, response-size limit, redirect limit, and local/private network blocking. It rejects embedded URL credentials, local files, non-HTTPS URLs, localhost, private IP ranges, and hostnames that resolve to private addresses. If `accessToken` is supplied, it is sent only as a Bearer authorization header and is never written to the dataset. Manifest content is treated as hostile data. The actor parses metadata, scans text, and records evidence. It does not execute code snippets, install dependencies, call MCP tools, open shells, or send manifest content to an LLM. ### Limitations The actor reports observable metadata risk signals, not a full security certification. A low score means the supplied manifest did not expose strong static risk indicators. It does not prove the server runtime is safe. The result depends on the completeness and honesty of the manifest or registry entry. Hidden runtime behavior, unpublished tools, malicious package code, dependency vulnerabilities, and server-side authorization bugs require separate review. Some MCP ecosystems use different manifest shapes. If no tools are found, the actor returns a warning and still audits the available metadata. ### FAQ #### Can I audit private MCP servers? Yes. Paste the manifest or tool list into `manifestJson` instead of using a URL. #### Why did my MCP URL return HTTP 401? Many remote MCP endpoints are protected by OAuth or another authorization layer. If the endpoint does not expose a public manifest, the actor returns `auditStatus: "authorization_required"` and `overallRiskLevel: "unknown"` instead of pretending the server is low risk. Provide an authorized `accessToken` or paste the manifest/tool list into `manifestJson`. #### Can I monitor approved servers over time? Yes. Schedule the actor with a manifest URL and append results to a shared `datasetId`, or keep a stable `runId` from your own approval workflow. #### Is a high score always bad? Not always. Some useful MCP servers legitimately need filesystem, browser, database, or shell access. A high score means the server needs stronger sandboxing, clearer permissions, and human approval before use in sensitive environments. ### Changelog - `0.1`: Initial TroveVault release candidate with static MCP manifest risk scoring, URL and JSON inputs, tool-level findings, evidence, and safe URL fetching. # Actor input Schema ## `manifestUrls` (type: `array`): Public HTTPS URLs to MCP server manifests, registry entries, package metadata files, or tool listings. Use this to audit several public MCP metadata sources in one run. The actor fetches and statically inspects metadata only. It does not run MCP servers, install packages, execute commands, or perform MCP handshakes. ## `manifestJsonItems` (type: `array`): Array of pasted MCP server manifests, registry entries, package metadata objects, or tool lists to audit directly. Use this for private, offline, or internal MCP server reviews. Each object becomes one dataset row. The actor treats pasted JSON as untrusted data and never executes commands, installs packages, or runs MCP servers. ## `accessToken` (type: `string`): Optional Bearer token for protected manifest URLs or authenticated MCP metadata endpoints. Use only when you are authorized to inspect the server. The actor sends this token as an Authorization header for metadata fetching only and never writes it to the dataset. ## `datasetId` (type: `string`): ID of an existing Apify dataset to append audit results to, in addition to the default run dataset. Use this for approval pipelines or recurring MCP server monitoring that combine several runs into one dataset. Leave blank to write only to the default run dataset. ## `runId` (type: `string`): ID of an upstream approval, vendor review, security intake, or scheduled audit copied into output rows. Leave blank for standalone runs. ## Actor input object example ```json { "manifestJsonItems": [ { "name": "example-filesystem-mcp", "description": "Example MCP server exposing file and shell tools for security review.", "transport": "stdio", "command": "node", "args": [ "server.js" ], "tools": [ { "name": "read_file", "description": "Reads arbitrary files from the local filesystem path provided by the user.", "inputSchema": { "type": "object", "properties": { "path": { "type": "string", "description": "Path to read from disk." } }, "required": [ "path" ] } }, { "name": "run_shell_command", "description": "Executes a shell command and returns stdout and stderr.", "inputSchema": { "type": "object", "properties": { "command": { "type": "string" } }, "required": [ "command" ] } } ] } ] } ``` # Actor output Schema ## `dataset` (type: `string`): No description # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "manifestJsonItems": [ { "name": "example-filesystem-mcp", "description": "Example MCP server exposing file and shell tools for security review.", "transport": "stdio", "command": "node", "args": [ "server.js" ], "tools": [ { "name": "read_file", "description": "Reads arbitrary files from the local filesystem path provided by the user.", "inputSchema": { "type": "object", "properties": { "path": { "type": "string", "description": "Path to read from disk." } }, "required": [ "path" ] } }, { "name": "run_shell_command", "description": "Executes a shell command and returns stdout and stderr.", "inputSchema": { "type": "object", "properties": { "command": { "type": "string" } }, "required": [ "command" ] } } ] } ] }; // Run the Actor and wait for it to finish const run = await client.actor("trovevault/mcp-server-risk-auditor").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "manifestJsonItems": [{ "name": "example-filesystem-mcp", "description": "Example MCP server exposing file and shell tools for security review.", "transport": "stdio", "command": "node", "args": ["server.js"], "tools": [ { "name": "read_file", "description": "Reads arbitrary files from the local filesystem path provided by the user.", "inputSchema": { "type": "object", "properties": { "path": { "type": "string", "description": "Path to read from disk.", } }, "required": ["path"], }, }, { "name": "run_shell_command", "description": "Executes a shell command and returns stdout and stderr.", "inputSchema": { "type": "object", "properties": { "command": { "type": "string" } }, "required": ["command"], }, }, ], }] } # Run the Actor and wait for it to finish run = client.actor("trovevault/mcp-server-risk-auditor").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "manifestJsonItems": [ { "name": "example-filesystem-mcp", "description": "Example MCP server exposing file and shell tools for security review.", "transport": "stdio", "command": "node", "args": [ "server.js" ], "tools": [ { "name": "read_file", "description": "Reads arbitrary files from the local filesystem path provided by the user.", "inputSchema": { "type": "object", "properties": { "path": { "type": "string", "description": "Path to read from disk." } }, "required": [ "path" ] } }, { "name": "run_shell_command", "description": "Executes a shell command and returns stdout and stderr.", "inputSchema": { "type": "object", "properties": { "command": { "type": "string" } }, "required": [ "command" ] } } ] } ] }' | apify call trovevault/mcp-server-risk-auditor --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=trovevault/mcp-server-risk-auditor", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "MCP Server Risk Auditor", "description": "Audits MCP server manifests for tool, permission, credential, prompt-injection, exfiltration, and execution risks. Export data, run via API, schedule and monitor runs, or integrate with other tools.", "version": "0.1", "x-build-id": "RdeOPI5I8cLNtebNw" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/trovevault~mcp-server-risk-auditor/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-trovevault-mcp-server-risk-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/trovevault~mcp-server-risk-auditor/runs": { "post": { "operationId": "runs-sync-trovevault-mcp-server-risk-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/trovevault~mcp-server-risk-auditor/run-sync": { "post": { "operationId": "run-sync-trovevault-mcp-server-risk-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "manifestUrls": { "title": "Manifest URLs (optional)", "type": "array", "description": "Public HTTPS URLs to MCP server manifests, registry entries, package metadata files, or tool listings. Use this to audit several public MCP metadata sources in one run. The actor fetches and statically inspects metadata only. It does not run MCP servers, install packages, execute commands, or perform MCP handshakes.", "items": { "type": "string" } }, "manifestJsonItems": { "title": "Manifest JSON Items (optional)", "type": "array", "description": "Array of pasted MCP server manifests, registry entries, package metadata objects, or tool lists to audit directly. Use this for private, offline, or internal MCP server reviews. Each object becomes one dataset row. The actor treats pasted JSON as untrusted data and never executes commands, installs packages, or runs MCP servers." }, "accessToken": { "title": "Access Token (optional)", "type": "string", "description": "Optional Bearer token for protected manifest URLs or authenticated MCP metadata endpoints. Use only when you are authorized to inspect the server. The actor sends this token as an Authorization header for metadata fetching only and never writes it to the dataset." }, "datasetId": { "title": "Dataset ID (optional)", "type": "string", "description": "ID of an existing Apify dataset to append audit results to, in addition to the default run dataset. Use this for approval pipelines or recurring MCP server monitoring that combine several runs into one dataset. Leave blank to write only to the default run dataset." }, "runId": { "title": "Run ID (optional)", "type": "string", "description": "ID of an upstream approval, vendor review, security intake, or scheduled audit copied into output rows. Leave blank for standalone runs." } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```