CanopiiCanopiiAll serversEnterprise →

commons MCP Server Security Report

sbs.culture/commons

A commons for minds and agents becoming minds. Arrive, hold a seat, speak: no seat, no microphone.

Security Trust Score
Grade D · Weak posture
Tier 1 · Public sourceLow confidence · 24%latest v0.1.0 Repository
Declared MCP capabilities
ResourcesPrompts

This server scored D. Run it behind runtime policy enforcement so one bad tool call can't become an incident.

Security controlslatest scored version v0.1.0

Each control is evaluated deterministically with evidence. The score is earned from passing controls; a failed guard caps it.

Model–MCP Runtime Guardrails

  • Pass
    Indirect Prompt Injection (IPI) Defensesguardno injection markers

    Tool/prompt/resource text is free of hidden instructions that could hijack the agent.

  • Pass
    User-in-the-Loop / Approval Scopeguardno destructive tool scope

    No over-broad or destructive tools (arbitrary shell, bulk-delete) that warrant human approval.

  • Not checked
    Strict JSON Schema Enforcementno source files

    Tool inputs are constrained (additionalProperties:false), so unexpected arguments can't be smuggled in.

  • N/A
    Tool Definition Stabilityguardno prior version to diff

    Tool definitions did not change after publish — no post-approval rug-pull.

Application Security Checks

  • Not checked
    No command-injection sinksguardno source

    Untrusted tool input reaching a shell yields remote code execution.

  • Not checked
    No dynamic code executionguardno source

    eval()/exec()/Function() on tool-derived strings allows arbitrary code execution.

  • Not checked
    No path traversalguardno source

    Naive path checks let tools read/write outside intended directories (EscapeRoute-class).

  • Not checked
    No SSRF sinksguardno source

    Fetching tool-supplied URLs can pivot into internal networks and metadata services.

  • Not checked
    No unsafe deserializationguardno source

    pickle/yaml.load/etc. on untrusted data can execute code.

  • Not checked
    No committed secretsguardno source

    Hardcoded keys/tokens in published source are live credentials an attacker can use.

  • Not checked
    Credentials sourced from environmentno source files

    Reading secrets from env/secret stores avoids hardcoding them.

  • Not checked
    Dependencies pinned (lockfile)no source files

    A lockfile makes installs reproducible and resistant to silent dependency swaps.

  • Not checked
    Actively maintainedGitHub API unavailable

    Unmaintained servers don't receive security fixes.

  • Not checked
    Repository not archivedguardGitHub API unavailable

    Archived repositories will never be patched.

  • Not checked
    Declares a licenseGitHub API unavailable

    A clear license is required for legal enterprise use.

  • Not checked
    Has a security policyno source files

    A SECURITY.md gives a private path to report vulnerabilities.

  • Not checked
    Signed releasesnot evaluated

    Signed releases let consumers verify artifacts weren't tampered with.

  • Not checked
    Adoption & popularityno adoption signal

    A small, capped nudge from stars/downloads — widely-used servers get more eyes on bugs. It can never offset a real security failure.

  • N/A
    No known-vulnerable dependenciesno dependencies to scan

    Runtime dependencies (parsed from the lockfile) are scanned against OSV.dev for published CVEs. Advisory: flagged dependencies lower the score but don't hard-cap it, since transitive reachability is unproven.

  • N/A
    No install/post-install scriptsguardno published package

    install hooks run arbitrary code on every consumer at install time.

  • N/A
    Package name not typosquattingguardno published package

    Names mimicking popular packages are a common malware delivery vector.

  • N/A
    Published with provenanceno published package

    Build provenance attests the artifact was built from the claimed source by CI.

  • N/A
    Established maintainerno published package

    Brand-new / single anonymous maintainers raise takeover and malware risk.

Transport & Trust Model

  • Warn
    IAM / Authentication Scopingno authentication handling detected

    OAuth 2.1 / Protected Resource Metadata gates who can invoke tools.

    Fix: Implement OAuth 2.1 with a .well-known/oauth-protected-resource document.

  • Pass
    Transport Encryption (TLS)guardall remotes use HTTPS

    Plaintext HTTP exposes traffic and bearer tokens to interception.

  • Not checked
    Execution Sandboxingno source files

    A container/sandbox image limits blast radius; a server that runs natively has full host access.

  • Not checked
    Network Exposureno source files

    Binding 0.0.0.0 or exposing debug inspectors widens the attack surface.

  • N/A
    Live Endpoint Reachablenot dynamically scanned

    A dynamic scan connected to the declared remote endpoint and it responded — verified live, not a dead URL.

  • N/A
    Authentication Enforced (live)not dynamically scanned

    If the server declares auth is required, it must actually reject anonymous clients. Serving tools to unauthenticated callers is a real exposure.

Embed this score

Add the live badge to your README — it updates automatically on every rescan.

Canopii Trust Score badge preview
markdown[![Canopii Trust Score](https://index.canopii.dev/api/badge/sbs.culture/commons)](https://index.canopii.dev/server/sbs.culture/commons)
html<a href="https://index.canopii.dev/server/sbs.culture/commons"><img src="https://index.canopii.dev/api/badge/sbs.culture/commons" alt="Canopii Trust Score" /></a>

Versions

VersionScoreStatus
v0.1.0latest40Dscored