🛡️ ToolTrust Directory

This repo hosts tooltrust.dev — the website and pre-scanned report data. If you want to scan your own MCP servers, go to tooltrust-scanner.

A public registry of AI agent tools, continuously scanned for prompt injection, data exfiltration, and privilege escalation by ToolTrust Scanner.

🚨 Supply-Chain Incident Coverage (March 2026) ToolTrust now detects and blocks confirmed supply-chain incidents including the LiteLLM / TeamPCP compromise and the malicious axios npm publish (axios@1.14.1, axios@0.30.4). For npm-backed MCP servers, ToolTrust also scores dependency visibility, transitive lockfile evidence, lifecycle scripts, and IOC indicators such as plain-crypto-js.

---

📊 Security Registry

Top 50 by popularity. View all 1091 tools → Full Directory · data/reports/ · docs/tools/

Tool	Version	Popularity	Grade	Key Findings	Scanned
playwright-mcp	0.0.75	9.9M/mo	D	🔑 AS-002 ×15, ⚡ AS-006 ×2, ⚡ AS-011 ×6	May 8
chrome-devtools-mcp	chrome-dev…	5.2M/mo	C	🔑 AS-002 ×14, ⚡ AS-006, ⚡ AS-011 ×3	May 8
context7	1.0.30	5.0M/mo	B	AS-014 ×2, 🔑 AS-002, ⚡ AS-011	May 8
upstash-context7-mcp	1.0.30	5.0M/mo	B	AS-014 ×2, 🔑 AS-002, ⚡ AS-011	May 8
gemini-cli	0.42.0-pre…	3.6M/mo	C	AS-014 ×56, 🔑 AS-002 ×35, ⚡ AS-011 ×11	May 8
mcp-server-filesystem	typescript…	1.4M/mo	C	🔑 AS-002 ×15, ⚡ AS-011	May 8
cloudflare-containers	0.3.2	974.7k/mo	A	🔑 AS-002 ×5, ⚡ AS-011, AS-014 ×7	Apr 26
mcp-server-github	typescript…	516.5k/mo	C	🔑 AS-002 ×35, ⚡ AS-011 ×18	May 8
n8n-mcp	2.51.1	501.4k/mo	C	🔑 AS-002 ×7, ⚡ AS-011 ×2	May 8
mcp-server-sequential-thinking	typescript…	443.4k/mo	A	✅ None	May 8
figma-context-mcp	0.11.0	432.7k/mo	B	AS-014 ×9, 🔑 AS-002, ⚡ AS-011	May 8
tavily-ai-tavily-mcp	0.2.19	362.8k/mo	C	🔑 AS-002 ×9, ⚡ AS-011 ×4, AS-014 ×4	May 4
tavily-mcp	0.2.19	355.4k/mo	C	🔑 AS-002 ×10, ⚡ AS-011 ×5	May 8
notion-mcp-server	2.1.0	272.7k/mo	C	🔑 AS-002 ×30, ⚡ AS-011 ×22	May 8
firecrawl-mcp-server	3.2.1	186.2k/mo	C	🔑 AS-002 ×14, AS-014 ×8, ⚡ AS-011 ×7	May 8
xcodebuildmcp	2.5.0	158.3k/mo	B	AS-014 ×71, 🔑 AS-002 ×35, ⚡ AS-011 ×3	May 8
cameroncooke-xcodebuildmcp	2.3.2	137.1k/mo	B	AS-014 ×71, 🔑 AS-002 ×35, ⚡ AS-011 ×3	Apr 26
circleci-public-mcp-server-circleci	0.15.1	116.5k/mo	C	🔑 AS-002 ×21, ⚡ AS-011 ×13, 📐 AS-003 ×2	May 4
mcp-server-brave-search	typescript…	110.9k/mo	C	🔑 AS-002 ×14, ⚡ AS-011 ×6, AS-014 ×6	May 8
ms-365-mcp-server	0.99.1	94.1k/mo	C	AS-012, 🔑 AS-002 ×330, ⚡ AS-011 ×151	May 8
mcp-server-time	typescript…	85.2k	A	AS-014 ×2	May 8
mcp-server-fetch	typescript…	85.2k	B	🔑 AS-002 ×3, ⚡ AS-011 ×3, AS-014 ×3	May 8
claude-task-master	0.20.0	75.0k/mo	B	AS-014 ×14, 🔑 AS-002 ×9, ⚡ AS-011	May 8
mobile-mcp	0.0.31-beta	65.1k/mo	B	🔑 AS-002 ×5, ⚡ AS-011	May 8
desktopcommandermcp	0.2.40	62.5k/mo	C	🔑 AS-002 ×22, AS-014 ×26, ⚡ AS-011 ×8, 📐 AS-003	May 8
brave-search-mcp-server	2.0.80	61.4k/mo	C	🔑 AS-002 ×14, ⚡ AS-011 ×6, AS-014 ×6	May 8
exa-mcp-server	3.2.1	59.5k/mo	C	🔑 AS-002 ×4, ⚡ AS-011 ×2	May 8
ruflo	3.7.0-alph…	58.8k/mo	B	AS-014 ×33, 🔑 AS-002 ×25, ⚡ AS-011	May 8
apify-mcp-server	0.10.1	58.8k/mo	D	🔑 AS-002 ×27, ⚡ AS-011 ×7, AS-014 ×16, ⚡ AS-006 ×2	May 8
context-mode	1.0.111	55.4k/mo	D	🔑 AS-002 ×24, ⚡ AS-006 ×2, ⚡ AS-011 ×5	May 8
mcp-server-kubernetes	3.5.1	52.2k/mo	B	AS-014 ×22, 🔑 AS-002 ×6, ⚡ AS-011 ×3	May 8
aas-ee-open-websearch	2.1.6	39.8k/mo	C	🔑 AS-002 ×7, ⚡ AS-011 ×6	Apr 26
antvis-mcp-server-chart	0.9.10	36.0k/mo	B	AS-014 ×26, 🔑 AS-002, ⚡ AS-011	May 8
mcp-server-chart	0.9.10	36.0k/mo	B	AS-014 ×26, 🔑 AS-002, ⚡ AS-011	May 8
dive	0.14.2	33.8k/mo	C	🔑 AS-002 ×3, ⚡ AS-011 ×2, AS-014 ×2	May 8
github-mcp-server	1.0.3	29.6k	C	🔑 AS-002 ×75, ⚡ AS-011 ×36, AS-014 ×86, 📐 AS-003, 🗝️ AS-010	May 8
brightdata-mcp	2.9.5	26.6k/mo	C	🔑 AS-002 ×67, ⚡ AS-011 ×58, AS-014 ×65	May 8
railway-mcp-server	0.1.8	24.2k/mo	C	🔑 AS-002 ×20, ⚡ AS-011	May 8
git-mcp-server	2.15.1	21.5k/mo	C	🔑 AS-002 ×39, ⚡ AS-011 ×9	May 8
mcp-server-typescript	2.8.10	19.6k/mo	C	🔑 AS-002 ×24, ⚡ AS-011 ×13	May 8
mcp-server-cloudflare	workers-ob…	19.5k/mo	D	🔑 AS-002 ×5, ⚡ AS-011 ×2, AS-014 ×2, ⚡ AS-006	May 8
postman-mcp-server	2.8.7	19.4k/mo	C	🔑 AS-002 ×53, ⚡ AS-011 ×15, AS-014 ×41	May 8
obsidian-mcp-server	3.1.5	19.1k/mo	B	🔑 AS-002 ×9, AS-014 ×13, ⚡ AS-011 ×2	May 8
mcp-server	99.0.0-dev	16.2k/mo	C	🔑 AS-002 ×15, ⚡ AS-011 ×6	May 8
mcp-server-asana	1.6.0	14.5k/mo	C	🔑 AS-002 ×8, ⚡ AS-011 ×3, AS-014 ×10	May 8
tacticlaunch-mcp-linear	1.1.2	14.2k/mo	C	AS-014 ×42, 🔑 AS-002 ×21, ⚡ AS-011 ×8	May 4
openmetadata	1.2.1	13.8k	C	AS-014 ×31, 🔑 AS-002 ×11, ⚡ AS-011 ×8	May 8
skill-seekers	3.6.0	13.3k	B	🔑 AS-002, ⚡ AS-011, AS-014 ×5	May 8
dainfernalcoder-perplexity-mcp	Feature	13.0k/mo	B	🔑 AS-002 ×2, ⚡ AS-011 ×2, AS-014 ×3	May 4
mcp-server-trello	1.6.1	12.9k/mo	C	🔑 AS-002 ×126, AS-014 ×200, ⚡ AS-011 ×53, 🗝️ AS-010	May 8

---

⚖️ Grading System

Grade	Gateway Action	Description
S 🌟	ALLOW	Reserved for dynamic analysis
A	ALLOW	Minimal risk. Safe for production agents.
B	ALLOW + rate limit	Low risk. Minor issues, but generally safe.
C	REQUIRE_APPROVAL	Moderate risk. Remediation recommended.
D	REQUIRE_APPROVAL	High risk. Use only in isolated environments.
F	BLOCK	Critical risk. Do not use in agentic pipelines.

Full methodology: docs/methodology.md

---

🔍 Check Catalog

ToolTrust Scanner check IDs referenced in all reports:

ID	Severity	Detects
🛡️ AS‑001	Critical	Tool Poisoning — Adversarial prompts hidden in tool descriptions (ignore previous instructions, <INST>)
🔑 AS‑002	High/Low	Permission Surface — exec, network, db, fs beyond stated purpose; over-broad input schema
📐 AS‑003	High	Scope Mismatch — Tool name contradicts its permissions (e.g. read_config with exec)
📦 AS‑004	High/Critical	Supply Chain CVEs — Known CVEs in bundled dependencies via OSV
🔓 AS‑005	High	Privilege Escalation — admin/:write OAuth scopes; sudo/impersonate in descriptions
⚡ AS‑006	Critical	Arbitrary Code Execution — evaluate_script, _evaluate suffix, execute javascript, page.evaluate() patterns
ℹ️ AS‑007	Info	Insufficient Tool Data — Tool lacks a valid description or schema
🚨 AS‑008	Critical	Known Compromised Package — Offline embedded blacklist of confirmed supply-chain attacks (LiteLLM 1.82.7/1.82.8, Trivy v0.69.4-v0.69.6, Langflow <1.9.0, Axios 1.14.1/0.30.4). Zero-latency, no network required.
🔤 AS‑009	Medium	Typosquatting — Tool name within edit-distance 2 of a well-known MCP tool, suggesting impersonation
🗝️ AS‑010	Medium	Secret Handling — Input params accepting API keys/passwords; credentials logged insecurely
⚡ AS‑011	Low	DoS Resilience — No rate-limit, timeout, or retry config on network/exec tools
🔄 AS‑012	High	Rug-Pull — Tool set changed between scans of the same version without a version bump (directory pipeline only)
ℹ️ AS‑014	Info	Dependency Inventory Unavailable — MCP server exposed neither metadata.dependencies nor a repo_url, so supply-chain coverage is limited and must be treated as incomplete
⚠️ AS‑015	Medium/High	Suspicious NPM Lifecycle Script — npm dependency publishes preinstall / postinstall / similar install-time scripts; severity rises for remote-fetch or inline-execution patterns
🚨 AS‑016	Critical	Suspicious NPM IOC Dependency — published npm metadata or install-time scripts reference a known malicious IOC package, domain, URL, or reviewed script pattern such as plain-crypto-js, even if the top-level package name is new
⚠️ AS‑017	Medium	Suspicious Data Exfiltration Description — tool description explicitly suggests sending user data, content, or conversation history to external / remote endpoints, without classifying it as prompt injection
ℹ️ AS‑018	Info	Embedded MCP Server Detected — source-level MCP SDK usage was found, but tools could not be enumerated from a manifest or live handshake, so manual review is still required
👥 AS‑013	High/Medium	Tool Shadowing — Duplicate or near-duplicate tool name hijacks calls intended for a trusted tool

Full details → docs/methodology.md

---

🤖 AI Agent Integration

Let your AI agent scan its own tools. Add ToolTrust as an MCP server in your .mcp.json or claude_desktop_config.json:

{
  "mcpServers": {
    "tooltrust": {
      "command": "npx",
      "args": ["-y", "tooltrust-mcp"]
    }
  }
}

This gives your agent five security tools:

Tool	Description
tooltrust_scan_config	Scan all MCP servers in your .mcp.json or ~/.claude.json in parallel
tooltrust_scan_server	Launch and scan a specific MCP server
tooltrust_scanner_scan	Scan a JSON blob of tool definitions
tooltrust_lookup	Look up a server's trust grade from this directory
tooltrust_list_rules	List all security rules with IDs and descriptions

Claude Code users: ask your agent to run tooltrust_scan_config to audit every MCP server in your project in one shot.

---

🤝 Contribute

Request a scan — open an issue with the tool's public URL and version.

Dispute a finding — open an issue referencing the finding ID (e.g. AS-002).

Integrate ToolTrust Scanner — see docs/dev.md for the data pipeline and schema spec.

---

📛 Add to your README

If your MCP server was audited and earned a grade, add our badge to your repo:

Grade A (recommended) — copy this into your README:

[![ToolTrust Grade A](https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-directory/main/docs/badges/grade-a.svg)](https://github.com/AgentSafe-AI/tooltrust-directory)

Other grades — replace grade-a with grade-s, grade-b, grade-c, grade-d, or grade-f:

Grade	Badge
S
A
B
C
D
F

Badges link to this directory. Generate SVGs locally: go run ./cmd/badge

---

⚙️ Automation

The registry table above is kept up to date by a daily GitHub Actions workflow:

.github/workflows/daily-audit.yml   ← cron 00:00 UTC + manual dispatch

Each run:

1. Discovers popular MCP servers via GitHub Search (50+ stars) plus Smithery-native servers (10+ uses)
2. Scans new/updated tools with ToolTrust Scanner + OSV supply-chain analysis
3. Publishes updated reports to data/reports/ and regenerates this README

---

Licensed MIT. Scanner engine: ToolTrust Scanner.