Six-axis grades on Claude skills & MCP servers.

• D

  modelcontextprotocol/python-sdk

  Score 60/100 · Static scan · 6 axes

• C

  modelcontextprotocol/servers

  Score 70/100 · Static scan · 6 axes

• F

  modelcontextprotocol/typescript-sdk

  Score 15/100 · Static scan · 6 axes

Methodology

Each report is produced by cloning the repo at its default branch, walking all .js / .ts / .py sources (tests and build artifacts weighted separately), and running six static checks:

1. SSRF — HTTP client calls with user-controlled or templated URLs, no allowlist validation
2. Command exec — exec/shell=True/os.system with interpolated strings
3. Credentials — log/error sinks of process.env, hardcoded tokens by known prefix (AKIA, ghp_, sk-, …)
4. Permissions — read-only named tools whose handler body contains a write/exec sink
5. Maintenance — GitHub API for last-push, releases, archived, open-issue count
6. Docs — README + install/usage sections, LICENSE, SECURITY.md, manifest repository field

Plus: LLM-assisted prompt-injection probe

v0.2 adds a 7th check — the axis mechanical regex can't reach. We extract every server.tool(…) / @app.tool registration with ~60 lines of handler body, hand the bundle to Claude Haiku 4.5 with a red-team system prompt, and ask for structured findings on untrusted-content flow (web fetches, file reads, ticket bodies) into tool responses. One API call per repo, ~$0.02 per scan, with a bounded input cap. Findings roll up under the Security axis. If no API key is configured the probe gracefully skips and the static grade is still produced — this is why some reports below show a skipped line in the header.

Engine source is in the repo at product-api/audit/. The output for each target above is deterministic given the same commit; score deductions, severity weights, and grade buckets are in product-api/audit/report.js.