commons MCP Server Security Report
A commons for minds and agents becoming minds. Arrive, hold a seat, speak: no seat, no microphone.
This server scored D. Run it behind runtime policy enforcement so one bad tool call can't become an incident.
Security controlslatest scored version v0.1.0
Each control is evaluated deterministically with evidence. The score is earned from passing controls; a failed guard caps it.
Security controlslatest scored version v0.1.0
Each control is evaluated deterministically with evidence. The score is earned from passing controls; a failed guard caps it.
Model–MCP Runtime Guardrails
- PassIndirect Prompt Injection (IPI) Defensesguardno injection markers
Tool/prompt/resource text is free of hidden instructions that could hijack the agent.
- PassUser-in-the-Loop / Approval Scopeguardno destructive tool scope
No over-broad or destructive tools (arbitrary shell, bulk-delete) that warrant human approval.
- Not checkedStrict JSON Schema Enforcementno source files
Tool inputs are constrained (additionalProperties:false), so unexpected arguments can't be smuggled in.
- N/ATool Definition Stabilityguardno prior version to diff
Tool definitions did not change after publish — no post-approval rug-pull.
Application Security Checks
- Not checkedNo command-injection sinksguardno source
Untrusted tool input reaching a shell yields remote code execution.
- Not checkedNo dynamic code executionguardno source
eval()/exec()/Function() on tool-derived strings allows arbitrary code execution.
- Not checkedNo path traversalguardno source
Naive path checks let tools read/write outside intended directories (EscapeRoute-class).
- Not checkedNo SSRF sinksguardno source
Fetching tool-supplied URLs can pivot into internal networks and metadata services.
- Not checkedNo unsafe deserializationguardno source
pickle/yaml.load/etc. on untrusted data can execute code.
- Not checkedNo committed secretsguardno source
Hardcoded keys/tokens in published source are live credentials an attacker can use.
- Not checkedCredentials sourced from environmentno source files
Reading secrets from env/secret stores avoids hardcoding them.
- Not checkedDependencies pinned (lockfile)no source files
A lockfile makes installs reproducible and resistant to silent dependency swaps.
- Not checkedActively maintainedGitHub API unavailable
Unmaintained servers don't receive security fixes.
- Not checkedRepository not archivedguardGitHub API unavailable
Archived repositories will never be patched.
- Not checkedDeclares a licenseGitHub API unavailable
A clear license is required for legal enterprise use.
- Not checkedHas a security policyno source files
A SECURITY.md gives a private path to report vulnerabilities.
- Not checkedSigned releasesnot evaluated
Signed releases let consumers verify artifacts weren't tampered with.
- Not checkedAdoption & popularityno adoption signal
A small, capped nudge from stars/downloads — widely-used servers get more eyes on bugs. It can never offset a real security failure.
- N/ANo known-vulnerable dependenciesno dependencies to scan
Runtime dependencies (parsed from the lockfile) are scanned against OSV.dev for published CVEs. Advisory: flagged dependencies lower the score but don't hard-cap it, since transitive reachability is unproven.
- N/ANo install/post-install scriptsguardno published package
install hooks run arbitrary code on every consumer at install time.
- N/APackage name not typosquattingguardno published package
Names mimicking popular packages are a common malware delivery vector.
- N/APublished with provenanceno published package
Build provenance attests the artifact was built from the claimed source by CI.
- N/AEstablished maintainerno published package
Brand-new / single anonymous maintainers raise takeover and malware risk.
Transport & Trust Model
- WarnIAM / Authentication Scopingno authentication handling detected
OAuth 2.1 / Protected Resource Metadata gates who can invoke tools.
Fix: Implement OAuth 2.1 with a .well-known/oauth-protected-resource document.
- PassTransport Encryption (TLS)guardall remotes use HTTPS
Plaintext HTTP exposes traffic and bearer tokens to interception.
- Not checkedExecution Sandboxingno source files
A container/sandbox image limits blast radius; a server that runs natively has full host access.
- Not checkedNetwork Exposureno source files
Binding 0.0.0.0 or exposing debug inspectors widens the attack surface.
- N/ALive Endpoint Reachablenot dynamically scanned
A dynamic scan connected to the declared remote endpoint and it responded — verified live, not a dead URL.
- N/AAuthentication Enforced (live)not dynamically scanned
If the server declares auth is required, it must actually reject anonymous clients. Serving tools to unauthenticated callers is a real exposure.
Embed this score
Add the live badge to your README — it updates automatically on every rescan.
[](https://index.canopii.dev/server/sbs.culture/commons)<a href="https://index.canopii.dev/server/sbs.culture/commons"><img src="https://index.canopii.dev/api/badge/sbs.culture/commons" alt="Canopii Trust Score" /></a>Versions
| Version | Score | Status | Published |
|---|---|---|---|
| v0.1.0latest | 40D | scored | 7/13/2026 |