mcp-audit
mcp-audit
Get your server added to the mcp-audit registry. Once listed, every developer who
runs mcp-audit vet gets a verdict before installing — and you get a badge for your README.
Your server appears in mcp-audit vet output — verified status, capabilities,
CVE history, typosquat detection. Developers see it before they install.
A live Shields.io badge you can put in your README. It shows your verification status and updates automatically when your CVE history changes.
A dedicated verdict page at mcp-audit.dev/servers/npm/your-server/ with
full facts, CVE table, and capability breakdown.
| Field | Required? | Notes |
|---|---|---|
| Package name | ✓ Required | npm package name (e.g. @modelcontextprotocol/server-filesystem) or PyPI package name |
| Ecosystem | ✓ Required | npm or pypi |
| Repository URL | ✓ Required | Public GitHub / GitLab repo |
| Maintainer / org | Optional | Name shown on the verdict page |
| Capabilities | Optional | What the server can do: file_read, network, etc. We'll fill these in from source review if blank. |
| Known CVEs to exclude | Optional | CVEs that apply to a dependency, not this package specifically |
Open a GitHub issue using the registry submission template. We review within 7 days; most submissions are processed in 1–2 days.
Open registry submission issue →
You'll need a GitHub account. The template guides you through each field.
We review the package, add it to registry/known-servers.json in the mcp-audit repo,
and rebuild this site. Your verdict page and badge endpoint go live with the next build (usually same
day). You'll get a comment on the issue when it's done.
We do not add servers that are: abandoned (last commit > 2 years), known malicious, or not publicly available on npm or PyPI.
There are currently 83 servers in the registry. Browse all verdicts →