Skip to content

AgentSafe-AI/tooltrust-directory

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

392 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ›‘οΈ ToolTrust Directory

This repo hosts tooltrust.dev β€” the website and pre-scanned report data. If you want to scan your own MCP servers, go to tooltrust-scanner.

A public registry of AI agent tools, continuously scanned for prompt injection, data exfiltration, and privilege escalation by ToolTrust Scanner.

🚨 Supply-Chain Incident Coverage (March 2026) ToolTrust now detects and blocks confirmed supply-chain incidents including the LiteLLM / TeamPCP compromise and the malicious axios npm publish (axios@1.14.1, axios@0.30.4). For npm-backed MCP servers, ToolTrust also scores dependency visibility, transitive lockfile evidence, lifecycle scripts, and IOC indicators such as plain-crypto-js.

ToolTrust Directory UI

Tools Audited Last Scan License: MIT Schema


πŸ“Š Security Registry

Top 50 by popularity. View all 1411 tools β†’ Full Directory Β· data/reports/ Β· docs/tools/

Tool Version Popularity Grade Key Findings Scanned
playwright-mcp 0.0.77 21.9M/mo C AS-014 Γ—23, πŸ”‘ AS-002 Γ—11, ⚑ AS-006 Γ—2, ⚑ AS-011 Γ—5 Jul 1
chrome-devtools-mcp chrome-dev… 10.5M/mo C AS-014 Γ—29, πŸ”‘ AS-002 Γ—13, ⚑ AS-011 Γ—4, ⚑ AS-006 Jul 1
ext-apps 1.7.4 7.1M/mo A πŸ”‘ AS-002, AS-014 Γ—3 Jul 1
context7 1.0.30 4.3M/mo A AS-014 Γ—2, πŸ”‘ AS-002, ⚑ AS-011 Jul 1
upstash-context7-mcp 1.0.30 4.3M/mo A AS-014 Γ—2, πŸ”‘ AS-002, ⚑ AS-011 Jul 1
gemini-cli 0.51.0-nig… 2.5M/mo A AS-014 Γ—56, πŸ”‘ AS-002 Γ—23, ⚑ AS-011 Γ—11 Jul 1
cloudflare-containers 0.3.2 1.6M/mo A πŸ”‘ AS-002 Γ—5, ⚑ AS-011, AS-014 Γ—7 Jun 22
mcp-server-filesystem typescript… 1.2M/mo A πŸ”‘ AS-002 Γ—14, AS-014 Γ—14, ⚑ AS-011 Jul 1
mcp-server-github typescript… 599.3k/mo A πŸ”‘ AS-002 Γ—24, AS-014 Γ—26, ⚑ AS-011 Γ—18 Jul 1
n8n-mcp 2.61.0 541.2k/mo A AS-014 Γ—24, πŸ”‘ AS-002 Γ—8, ⚑ AS-011 Γ—4 Jul 1
firecrawl-mcp-server 3.2.1 508.0k/mo C πŸ”‘ AS-002 Γ—31, ⚑ AS-011 Γ—25, AS-014 Γ—26, ⚑ AS-006 Jul 1
notion-mcp-server 2.4.1 496.4k/mo A πŸ”‘ AS-002 Γ—24, ⚑ AS-011 Γ—24, AS-014 Γ—24 Jul 1
cameroncooke-xcodebuildmcp 2.3.2 468.8k/mo A AS-014 Γ—71, πŸ”‘ AS-002 Γ—31, ⚑ AS-011 Γ—3 Jun 22
mcp-server-sequential-thinking typescript… 400.9k/mo A AS-014 Jul 1
figma-context-mcp 0.13.2 383.8k/mo A AS-014 Γ—9, πŸ”‘ AS-002, ⚑ AS-011 Jul 1
n8n-nodes-mcp 0.1.37 179.9k/mo A AS-014 Γ—27, πŸ”‘ AS-002 Γ—21, ⚑ AS-011 Γ—9, πŸ—οΈ AS-010 Jun 29
tavily-ai-tavily-mcp 0.2.19 178.6k/mo A πŸ”‘ AS-002 Γ—7, ⚑ AS-011 Γ—5, AS-014 Γ—5 Jun 22
desktopcommandermcp 0.2.43 167.9k/mo B πŸ”‘ AS-002 Γ—19, AS-014 Γ—26, ⚑ AS-011 Γ—8, πŸ“ AS-003 Jul 1
tavily-mcp 0.2.20 164.7k/mo A πŸ”‘ AS-002 Γ—7, ⚑ AS-011 Γ—5, AS-014 Γ—5 Jul 1
mcpb 2.1.2 155.9k/mo C πŸ”‘ AS-002 Γ—2, ⚑ AS-011 Γ—2, AS-014 Γ—10, ⚑ AS-006 Jul 1
mcp-server-circleci 0.17.0 138.8k/mo B πŸ”‘ AS-002 Γ—16, ⚑ AS-011 Γ—12, AS-014 Γ—17, πŸ“ AS-003 Γ—2 Jul 1
ms-365-mcp-server 0.128.2 127.1k/mo A AS-014 Γ—183, πŸ”‘ AS-002 Γ—224, ⚑ AS-011 Γ—177 Jul 1
circleci-public-mcp-server-circleci 0.15.1 126.3k/mo B πŸ”‘ AS-002 Γ—15, ⚑ AS-011 Γ—11, AS-014 Γ—16, πŸ“ AS-003 Γ—2 Jun 22
ruflo 3.16.1 115.5k/mo A πŸ”‘ AS-002 Γ—21, ⚑ AS-011 Γ—18, AS-014 Γ—27 Jun 30
context-mode 1.0.169 111.0k/mo A πŸ”‘ AS-002 Γ—7, AS-014 Γ—7, ⚑ AS-011 Jul 1
exa-mcp-server 3.2.1 106.2k/mo A πŸ”‘ AS-002 Γ—2, ⚑ AS-011 Γ—2, AS-014 Γ—2 Jul 1
mcp-server-kubernetes 3.9.2 101.8k/mo A AS-014 Γ—22, πŸ”‘ AS-002 Γ—6, ⚑ AS-011 Γ—3 Jul 1
mcp-server-brave-search typescript… 97.5k/mo A πŸ”‘ AS-002 Γ—10, ⚑ AS-011 Γ—7, AS-014 Γ—8, πŸ—οΈ AS-010 Γ—2 Jul 1
mcp-searxng 1.8.0 97.5k/mo A πŸ”‘ AS-002 Γ—3, ⚑ AS-011 Γ—3, AS-014 Γ—4 Jul 1
mcp-server-time typescript… 87.9k A AS-014 Γ—2 Jul 1
mcp-server-mysql 2.0.9 85.3k/mo A πŸ”‘ AS-002 Γ—4, AS-014 Γ—4, ⚑ AS-011 Jun 29
mobile-mcp 0.0.60 74.5k/mo A AS-014 Γ—23, πŸ”‘ AS-002 Γ—5, ⚑ AS-011 Jul 1
magic-mcp 0.1.1-beta.1 72.5k/mo A πŸ”‘ AS-002 Γ—4, AS-014 Γ—4, ⚑ AS-011 Γ—2 Jul 1
apify-mcp-server 0.11.4 70.8k/mo C πŸ”‘ AS-002 Γ—16, ⚑ AS-011 Γ—7, AS-014 Γ—16, ⚑ AS-006 Γ—2 Jul 1
claude-task-master 0.20.0 67.5k/mo A AS-014 Γ—14, πŸ”‘ AS-002 Γ—9, ⚑ AS-011 Jul 1
mcp-server-browserbase 3.0.0 60.3k/mo A AS-014 Γ—6, πŸ”‘ AS-002, ⚑ AS-011 Jul 1
brave-search-mcp-server 2.0.85 59.7k/mo A πŸ”‘ AS-002 Γ—10, ⚑ AS-011 Γ—7, AS-014 Γ—8, πŸ—οΈ AS-010 Γ—2 Jul 1
mempalace 3.5.0 56.8k A AS-014 Γ—3, πŸ”‘ AS-002 Γ—2, ⚑ AS-011 Jul 1
headroom 0.28.0 54.7k A πŸ”‘ AS-002 Γ—2, ⚑ AS-011 Γ—2, AS-014 Γ—2 Jul 1
agent-reach 1.5.0 47.2k A AS-014 Γ—7, πŸ”‘ AS-002 Γ—2, ⚑ AS-011 Γ—2 Jul 1
kong 3.9.3 43.7k A AS-014 Jul 1
browsermcp 0.1.3 39.0k/mo A πŸ”‘ AS-002, ⚑ AS-011, AS-014 Γ—12 Jul 1
railway-mcp-server 0.1.11 34.9k/mo A πŸ”‘ AS-002 Γ—31, AS-014 Γ—36, ⚑ AS-011 Γ—13, πŸ—οΈ AS-010 Jun 22
kastalien-research-clear-thought-two 1.2.0 33.3k/mo A AS-014 Γ—3, πŸ”‘ AS-002 Γ—2, ⚑ AS-011 Jun 22
kastalien-research-thoughtbox 1.2.0 33.3k/mo A AS-014 Γ—3, πŸ”‘ AS-002 Γ—2, ⚑ AS-011 Jun 22
dive 0.14.2 32.9k/mo A πŸ”‘ AS-002 Γ—2, ⚑ AS-011 Γ—2, AS-014 Γ—2 Jun 22
brightdata-mcp 2.11.0 32.8k/mo A πŸ”‘ AS-002 Γ—60, ⚑ AS-011 Γ—58, AS-014 Γ—65 Jul 1
github-mcp-server 1.5.0 31.1k B πŸ”‘ AS-002 Γ—52, ⚑ AS-011 Γ—36, AS-014 Γ—86, πŸ“ AS-003, πŸ—οΈ AS-010 Jul 1
postman-mcp-server 2.9.1 27.3k/mo A πŸ”‘ AS-002 Γ—31, ⚑ AS-011 Γ—15, AS-014 Γ—41 Jun 22
mcp-server-chart 0.9.10 27.0k/mo A AS-014 Γ—26, πŸ”‘ AS-002, ⚑ AS-011 Jul 1

βš–οΈ Grading System

Grade Gateway Action Description
S 🌟 ALLOW Reserved for dynamic analysis
A ALLOW Minimal risk. Safe for production agents.
B ALLOW + rate limit Low risk. Minor issues, but generally safe.
C REQUIRE_APPROVAL Moderate risk. Remediation recommended.
D REQUIRE_APPROVAL High risk. Use only in isolated environments.
F BLOCK Critical risk. Do not use in agentic pipelines.

Full methodology: docs/methodology.md


πŸ” Check Catalog

ToolTrust Scanner check IDs referenced in all reports:

ID Severity Detects
πŸ›‘οΈΒ AS‑001 Critical Tool Poisoning β€” Adversarial prompts hidden in tool descriptions (ignore previous instructions, <INST>)
πŸ”‘Β AS‑002 High/Low Permission Surface β€” exec, network, db, fs beyond stated purpose; over-broad input schema
πŸ“Β AS‑003 High Scope Mismatch β€” Tool name contradicts its permissions (e.g. read_config with exec)
πŸ“¦Β AS‑004 High/Critical Supply Chain CVEs β€” Known CVEs in bundled dependencies via OSV
πŸ”“Β AS‑005 High Privilege Escalation β€” admin/:write OAuth scopes; sudo/impersonate in descriptions
⚑ AS‑006 Critical Arbitrary Code Execution β€” evaluate_script, _evaluate suffix, execute javascript, page.evaluate() patterns
ℹ️ AS‑007 Info Insufficient Tool Data β€” Tool lacks a valid description or schema
🚨 AS‑008 Critical Known Compromised Package β€” Offline embedded blacklist of confirmed supply-chain attacks (LiteLLM 1.82.7/1.82.8, Trivy v0.69.4-v0.69.6, Langflow <1.9.0, Axios 1.14.1/0.30.4). Zero-latency, no network required.
πŸ”€Β AS‑009 Medium Typosquatting β€” Tool name within edit-distance 2 of a well-known MCP tool, suggesting impersonation
πŸ—οΈΒ AS‑010 Medium Secret Handling β€” Input params accepting API keys/passwords; credentials logged insecurely
⚑ AS‑011 Low DoS Resilience β€” No rate-limit, timeout, or retry config on network/exec tools
πŸ”„Β AS‑012 High Rug-Pull β€” Tool set changed between scans of the same version without a version bump (directory pipeline only)
πŸ‘₯Β AS‑013 High/Medium Tool Shadowing β€” Duplicate or near-duplicate tool name hijacks calls intended for a trusted tool
ℹ️ AS‑014 Info Dependency Inventory Unavailable β€” MCP server exposed neither metadata.dependencies nor a repo_url, so supply-chain coverage is limited and must be treated as incomplete
⚠️ AS‑015 Medium/High Suspicious NPM Lifecycle Script β€” npm dependency publishes preinstall / postinstall / similar install-time scripts; severity rises for remote-fetch or inline-execution patterns
🚨 AS‑016 Critical Suspicious NPM IOC Dependency β€” published npm metadata or install-time scripts reference a known malicious IOC package, domain, URL, or reviewed script pattern such as plain-crypto-js, even if the top-level package name is new
⚠️ AS‑017 Medium Suspicious Data Exfiltration Description β€” tool description explicitly suggests sending user data, content, or conversation history to external / remote endpoints, without classifying it as prompt injection
ℹ️ AS‑018 Info Embedded MCP Server Detected β€” source-level MCP SDK usage was found, but tools could not be enumerated from a manifest or live handshake, so manual review is still required
πŸ”“Β AS‑019 High Unauthenticated MCP Route Exposure β€” embedded MCP HTTP routes expose the same handler without equivalent authentication middleware

Full details β†’ docs/methodology.md


πŸ€– AI Agent Integration

Let your AI agent scan its own tools. Add ToolTrust as an MCP server in your .mcp.json or claude_desktop_config.json:

{
  "mcpServers": {
    "tooltrust": {
      "command": "npx",
      "args": ["-y", "tooltrust-mcp"]
    }
  }
}

This gives your agent five security tools:

Tool Description
tooltrust_scan_config Scan all MCP servers in your .mcp.json or ~/.claude.json in parallel
tooltrust_scan_server Launch and scan a specific MCP server
tooltrust_scanner_scan Scan a JSON blob of tool definitions
tooltrust_lookup Look up a server's trust grade from this directory
tooltrust_list_rules List all security rules with IDs and descriptions

Claude Code users: ask your agent to run tooltrust_scan_config to audit every MCP server in your project in one shot.


🀝 Contribute

Request a scan β€” open an issue with the tool's public URL and version.

Dispute a finding β€” open an issue referencing the finding ID (e.g. AS-002).

Integrate ToolTrust Scanner β€” see docs/dev.md for the data pipeline and schema spec.


πŸ“› Add to your README

If your MCP server was audited and earned a grade, add our badge to your repo:

Grade A (recommended) β€” copy this into your README:

[![ToolTrust Grade A](https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-directory/main/docs/badges/grade-a.svg)](https://github.com/AgentSafe-AI/tooltrust-directory)

Other grades β€” replace grade-a with grade-s, grade-b, grade-c, grade-d, or grade-f:

Grade Badge
S Grade S
A Grade A
B Grade B
C Grade C
D Grade D
F Grade F

Badges link to this directory. Generate SVGs locally: go run ./cmd/badge


βš™οΈ Automation

The registry table above is kept up to date by a daily GitHub Actions workflow:

.github/workflows/daily-audit.yml   ← cron 00:00 UTC + manual dispatch

Each run:

  1. Discovers popular MCP servers via GitHub Search (50+ stars) plus Smithery-native servers (10+ uses)
  2. Scans new/updated tools with ToolTrust Scanner + OSV supply-chain analysis
  3. Publishes updated reports to data/reports/ and regenerates this README

Licensed MIT. Scanner engine: ToolTrust Scanner.

About

Trust layer for AI Agents. A curated registry of secure tools and MCP servers with A-F risk grading.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages