Show HN: Risk Analysis Database of Every MCP Server

Posted by razuba 1 day ago

Show HN: Risk Analysis Database of Every MCP Server(mcp.armor1.ai)

Hi HN, We’re building security tooling around agentic AI systems.

Today, we're releasing our public MCP catalog with detailed risk analysis for every MCP server we've found on the internet: https://mcp.armor1.ai/mcp-directory

We all love agents and the power that MCPs unlock: suddenly your AI assistant can query databases, manage files, call APIs, and interact with the real world. But when we started adopting MCPs ourselves, we kept running into the same nagging questions:

Is this MCP safe? Where is my data actually going? Could it execute destructive actions? Is it susceptible to prompt injection? Can the LLM be tricked into calling something it shouldn't? And perhaps most concerning, can one MCP server influence the model and exfiltrate data meant for another?

We looked for answers and found... not much. No comprehensive catalog or standardized risk assessment. Nothing that gave us confidence before connecting an MCP to our agents.

So we built an MCP threat catalog and what we found was eye-opening.

We built what we believe is the deepest risk analysis pipeline for MCP servers:

• Provenance tracking: from an official source or community-contributed

• MCP spec conformance: does it follow the protocol correctly, or are there deviations that could cause unexpected behavior

• OWASP Top 10 for Agentic Apps: evaluate tool descriptions against the emerging threat categories specific to AI agents

• Static source analysis: analyze source code for AI-specific vulnerabilities, not just traditional ones

• CVE correlation: check dependencies against known vulnerabilities.

• Behavioral risk patterns: tool definitions that could enable prompt injection, privilege escalation, or cross-server data theft

What we found:

• Hundreds of credential leaks: API keys, tokens, and secrets exposed in server configurations and code.

• Dozens of MCP servers using known malicious packages: Not just vulnerable dependencies, but actually malicious ones.

• Tools attempting context poisoning: MCP servers designed to subvert the LLM and steal information via memory manipulation, potentially exfiltrating data meant for other connected servers.

We want everyone to realize the benefits of agentic AI, but not at the cost of security being an afterthought. So we're making this catalog free with no login, and we're committed to keeping it that way.

This is still a WIP. Looking forward to your feedback on what we need to improve, what we got right, and what we should prioritize next.

21 points | 7 comments

curious_wasabi 1 day ago|

Cool stuff! When you say "for every MCP server on the internet" how many MCP servers have you analysed exactly?

btw it'd be really cool if there was an MCP server to get the risk analysis for the MCP servers i've installed already lol

razuba 1 day ago||

We have just under 17k analyzed. Agreed on the need for an Armor1 MCP server to support this - stay tuned.

sunilagrawal 1 day ago||

Agreed, MCP interface for the MCP risk analysis sounds like a great idea.

v8der 1 day ago||

MCPs are an inherently risk paradigm, with not so great standardizations or protocols. The real boost would be to get visibility into what these tools are doing on my system while I let the agents go build for me.

sunilagrawal 1 day ago|

This is interesting. How does it compare with some open source tools that claim to do something similar, say mcp-scan?

razuba 1 day ago||

We focus on a holistic risk analysis of the risks that would matter to a security engineer. For example, all the signals analyzed to ensure the MCP server is official and provided by the vendor directly is something that is not found elsewhere. In addition, we have focused on ensuring false positives are minimal or non-existent so you can focus on the true risks.

So with the mix of static and dynamic analysis, MCP protocol conformance, supply chain vulnerability analysis, and MCP specific risk factors we curate a relevant risk score allowing you decide if the usage of a given MCP server is introducing unnecessary risk or not.

cheerio_dev 1 day ago||

These two seem to be doing two different things - mcp-scan is good at dynamic monitoring of your mcp server usage (the proxy server) and nothing much beyond that. It lacks comprehensiveness which is what the armor1 catalog appears to be aiming at