Skip to content

AgentSafe-AI/tooltrust-directory

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

283 Commits
.github
.github
Β 
Β 
.gstack/design-reports
.gstack/design-reports
Β 
Β 
cmd
cmd
Β 
Β 
data
data
Β 
Β 
docs
docs
Β 
Β 
pkg
pkg
Β 
Β 
scripts
scripts
Β 
Β 
web
web
Β 
Β 
.gitignore
.gitignore
Β 
Β 
CLAUDE.md
CLAUDE.md
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
go.mod
go.mod
Β 
Β 
go.sum
go.sum
Β 
Β 
report.schema.json
report.schema.json
Β 
Β 
smithery-fetch
smithery-fetch
Β 
Β 

Repository files navigation

πŸ›‘οΈ ToolTrust Directory

This repo hosts tooltrust.dev β€” the website and pre-scanned report data. If you want to scan your own MCP servers, go to tooltrust-scanner.

A public registry of AI agent tools, continuously scanned for prompt injection, data exfiltration, and privilege escalation by ToolTrust Scanner.

🚨 Supply-Chain Incident Coverage (March 2026) ToolTrust now detects and blocks confirmed supply-chain incidents including the LiteLLM / TeamPCP compromise and the malicious axios npm publish (axios@1.14.1, axios@0.30.4). For npm-backed MCP servers, ToolTrust also scores dependency visibility, transitive lockfile evidence, lifecycle scripts, and IOC indicators such as plain-crypto-js.

ToolTrust Directory UI

Tools Audited Last Scan License: MIT Schema

πŸ“Š Security Registry

Top 50 by popularity. View all 482 tools β†’ Full Directory Β· data/reports/ Β· docs/tools/

Tool Version Popularity Grade Key Findings Scanned
gemini-cli 0.36.0 3.1M/mo C AS-014 Γ—56, πŸ”‘ AS-002 Γ—35, ⚑ AS-011 Γ—11 Apr 4
chrome-devtools-mcp chrome-dev… 2.7M/mo C πŸ”‘ AS-002 Γ—14, ⚑ AS-006, ⚑ AS-011 Γ—3 Apr 4
mcp-server-filesystem 2026.1.26 1.8M/mo C πŸ”‘ AS-002 Γ—15, ⚑ AS-011 Apr 4
mcp-server-github 2026.1.26 454.4k/mo C πŸ”‘ AS-002 Γ—35, ⚑ AS-011 Γ—18 Apr 4
n8n-mcp 2.46.1 405.5k/mo C πŸ”‘ AS-002 Γ—7, ⚑ AS-011 Γ—2 Apr 4
mcp-server-sequential-thinking 2026.1.26 404.9k/mo A βœ… None Apr 4
figma-context-mcp 0.8.0 377.1k/mo C πŸ”‘ AS-002 Γ—13, πŸ“ AS-003, πŸ—οΈ AS-010, ⚑ AS-011 Γ—3, AS-014 Γ—18 Apr 4
tavily-mcp 0.2.18 306.3k/mo C AS-012, πŸ”‘ AS-002 Γ—10, ⚑ AS-011 Γ—5 Apr 4
tavily-ai-tavily-mcp 0.2.18 306.3k/mo C AS-012, πŸ”‘ AS-002 Γ—10, ⚑ AS-011 Γ—5 Apr 4
notion-mcp-server 2.1.0 274.6k/mo C πŸ”‘ AS-002 Γ—30, ⚑ AS-011 Γ—22 Apr 4
firecrawl-mcp-server 3.2.1 187.7k/mo C πŸ”‘ AS-002 Γ—17, AS-014 Γ—10, ⚑ AS-011 Γ—9 Apr 4
mcp-server-brave-search 2026.1.26 123.3k/mo C πŸ”‘ AS-002 Γ—14, ⚑ AS-011 Γ—6, AS-014 Γ—6 Apr 4
claude-task-master task-maste… 99.3k/mo A AS-014 Γ—7, πŸ”‘ AS-002 Apr 4
mcp-server-time 2026.1.26 83.0k A AS-014 Γ—2 Apr 4
mcp-server-fetch 2026.1.26 82.9k B πŸ”‘ AS-002 Γ—3, ⚑ AS-011 Γ—3, AS-014 Γ—3 Apr 4
xcodebuildmcp 2.3.2 73.6k/mo B AS-014 Γ—71, πŸ”‘ AS-002 Γ—35, ⚑ AS-011 Γ—3 Apr 4
desktopcommandermcp 0.2.38 68.3k/mo C πŸ”‘ AS-002 Γ—22, AS-014 Γ—26, ⚑ AS-011 Γ—8, πŸ“ AS-003 Apr 4
exa-mcp-server 3.2.0 64.3k/mo D πŸ”‘ AS-002 Γ—5, ⚑ AS-011 Γ—3, AS-014 Γ—3, ⚑ AS-006 Apr 4
mobile-mcp 0.0.50 60.6k/mo B πŸ”‘ AS-002 Γ—5, ⚑ AS-011 Apr 4
ruflo 3.5.51 58.4k/mo B AS-014 Γ—19, πŸ”‘ AS-002 Γ—3, ⚑ AS-011 Apr 4
mcp-server-chart 0.9.10 58.3k/mo B AS-014 Γ—26, πŸ”‘ AS-002, ⚑ AS-011 Apr 4
context7 ctx7@0.3.9 51.6k B AS-014 Γ—2, πŸ”‘ AS-002, ⚑ AS-011 Apr 4
upstash-context7-mcp ctx7@0.3.9 51.6k B AS-014 Γ—2, πŸ”‘ AS-002, ⚑ AS-011 Apr 4
marcopesani-mcp-server-serper 0.2.0 51.5k/mo C AS-012, πŸ”‘ AS-002 Γ—14, ⚑ AS-011 Γ—6, AS-014 Γ—6 Apr 4
mcp-server-serper 0.2.0 51.5k/mo C πŸ”‘ AS-002 Γ—14, ⚑ AS-011 Γ—6, AS-014 Γ—6 Apr 4
ms-365-mcp-server 0.55.0 50.6k/mo C AS-012, πŸ”‘ AS-002 Γ—189, ⚑ AS-011 Γ—90 Apr 4
apify-mcp-server 0.9.16 49.2k/mo D πŸ”‘ AS-002 Γ—27, ⚑ AS-011 Γ—7, AS-014 Γ—16, ⚑ AS-006 Γ—2 Apr 4
aas-ee-open-websearch 2.1.5 41.6k/mo C πŸ”‘ AS-002 Γ—7, ⚑ AS-011 Γ—6 Apr 4
mcp-server-kubernetes 3.4.0 41.0k/mo B AS-014 Γ—22, πŸ”‘ AS-002 Γ—6, ⚑ AS-011 Γ—3 Apr 4
dive 0.14.2 36.2k/mo A AS-014 Γ—2 Apr 4
brave-search-mcp-server 2.0.75 34.6k/mo C πŸ”‘ AS-002 Γ—14, ⚑ AS-011 Γ—6, AS-014 Γ—6 Apr 4
github-mcp-server 0.32.0 28.5k C πŸ”‘ AS-002 Γ—75, ⚑ AS-011 Γ—36, AS-014 Γ—86, πŸ“ AS-003, πŸ—οΈ AS-010 Apr 4
railway-mcp-server 0.1.8 28.5k/mo C πŸ”‘ AS-002 Γ—20, ⚑ AS-011 Apr 4
brightdata-mcp 2.9.3 18.6k/mo C πŸ”‘ AS-002 Γ—66, ⚑ AS-011 Γ—57, AS-014 Γ—64 Apr 4
mcp-server 0.11.0 18.4k/mo C πŸ”‘ AS-002 Γ—15, ⚑ AS-011 Γ—6 Apr 4
git-mcp-server 2.10.5 17.4k/mo C πŸ”‘ AS-002 Γ—38, ⚑ AS-011 Γ—8 Apr 4
postman-mcp-server 2.8.4 15.6k/mo C πŸ”‘ AS-002 Γ—53, ⚑ AS-011 Γ—15, AS-014 Γ—41 Apr 4
mcp-server-cloudflare @repo/mcp-… 14.6k/mo D πŸ”‘ AS-002 Γ—5, ⚑ AS-011 Γ—2, AS-014 Γ—2, ⚑ AS-006 Apr 4
mcp-server-asana 1.6.0 14.4k/mo C πŸ”‘ AS-002 Γ—8, ⚑ AS-011 Γ—3, AS-014 Γ—10 Apr 4
airtable-mcp-server 1.13.0 13.5k/mo B AS-014 Γ—13, πŸ”‘ AS-002 Γ—8, ⚑ AS-011 Apr 4
helloggx-shadcn-vue-mcp 1.0.1 13.5k/mo A AS-014 Γ—6 Apr 4
line-bot-mcp-server 0.4.2 12.2k/mo A πŸ”‘ AS-002 Γ—4, AS-014 Γ—10 Apr 4
mcp-server-browserbase 3.0.0 11.2k/mo B πŸ”‘ AS-002, ⚑ AS-011 Apr 4
xhs-downloader 2.7 10.6k C πŸ”‘ AS-002 Γ—10, ⚑ AS-011 Γ—5, AS-014 Γ—5 Apr 3
figma-mcp-server 1.0.0 10.0k/mo C πŸ”‘ AS-002 Γ—58, AS-014 Γ—49, ⚑ AS-011 Γ—15, πŸ—οΈ AS-010 Γ—2 Apr 4
openapi-mcp-server 1.2.0-beta04 9.8k/mo C πŸ”‘ AS-002 Γ—8, ⚑ AS-011 Γ—2 Apr 4
mcp-server-typescript 2.8.7 9.7k/mo C πŸ”‘ AS-002 Γ—24, ⚑ AS-011 Γ—13 Apr 4
mcp-use python-v1.… 9.7k B πŸ”‘ AS-002 Γ—3, ⚑ AS-011 Γ—3, AS-014 Γ—3 Apr 4
openmetadata 1.12.4-rel… 9.6k B πŸ”‘ AS-002 Γ—2, AS-014 Γ—2, ⚑ AS-011 Apr 4
mcp-server-atlassian-bitbucket 3.1.0 9.4k/mo C πŸ”‘ AS-002 Γ—18, ⚑ AS-011 Γ—6 Apr 4

βš–οΈ Grading System

Grade Gateway Action Description
S 🌟 ALLOW Reserved for dynamic analysis
A ALLOW Minimal risk. Safe for production agents.
B ALLOW + rate limit Low risk. Minor issues, but generally safe.
C REQUIRE_APPROVAL Moderate risk. Remediation recommended.
D REQUIRE_APPROVAL High risk. Use only in isolated environments.
F BLOCK Critical risk. Do not use in agentic pipelines.

Full methodology: docs/methodology.md

πŸ” Check Catalog

ToolTrust Scanner check IDs referenced in all reports:

ID Severity Detects
πŸ›‘οΈΒ AS‑001 Critical Tool Poisoning β€” Adversarial prompts hidden in tool descriptions (ignore previous instructions, <INST>)
πŸ”‘Β AS‑002 High/Low Permission Surface β€” exec, network, db, fs beyond stated purpose; over-broad input schema
πŸ“Β AS‑003 High Scope Mismatch β€” Tool name contradicts its permissions (e.g. read_config with exec)
πŸ“¦Β AS‑004 High/Critical Supply Chain CVEs β€” Known CVEs in bundled dependencies via OSV
πŸ”“Β AS‑005 High Privilege Escalation β€” admin/:write OAuth scopes; sudo/impersonate in descriptions
⚑ AS‑006 Critical Arbitrary Code Execution β€” evaluate_script, _evaluate suffix, execute javascript, page.evaluate() patterns
ℹ️ AS‑007 Info Insufficient Tool Data β€” Tool lacks a valid description or schema
🚨 AS‑008 Critical Known Compromised Package β€” Offline embedded blacklist of confirmed supply-chain attacks (LiteLLM 1.82.7/1.82.8, Trivy v0.69.4-v0.69.6, Langflow <1.9.0, Axios 1.14.1/0.30.4). Zero-latency, no network required.
πŸ”€Β AS‑009 Medium Typosquatting β€” Tool name within edit-distance 2 of a well-known MCP tool, suggesting impersonation
πŸ—οΈΒ AS‑010 Medium Secret Handling β€” Input params accepting API keys/passwords; credentials logged insecurely
⚑ AS‑011 Low DoS Resilience β€” No rate-limit, timeout, or retry config on network/exec tools
πŸ”„Β AS‑012 High Rug-Pull β€” Tool set changed between scans of the same version without a version bump (directory pipeline only)
ℹ️ AS‑014 Info Dependency Inventory Unavailable β€” MCP server exposed neither metadata.dependencies nor a repo_url, so supply-chain coverage is limited and must be treated as incomplete
⚠️ AS‑015 Medium/High Suspicious NPM Lifecycle Script β€” npm dependency publishes preinstall / postinstall / similar install-time scripts; severity rises for remote-fetch or inline-execution patterns
🚨 AS‑016 Critical Suspicious NPM IOC Dependency β€” published npm metadata or install-time scripts reference a known malicious IOC package, domain, URL, or reviewed script pattern such as plain-crypto-js, even if the top-level package name is new
⚠️ AS‑017 Medium Suspicious Data Exfiltration Description β€” tool description explicitly suggests sending user data, content, or conversation history to external / remote endpoints, without classifying it as prompt injection
πŸ‘₯Β AS‑013 High/Medium Tool Shadowing β€” Duplicate or near-duplicate tool name hijacks calls intended for a trusted tool

Full details β†’ docs/methodology.md

πŸ€– AI Agent Integration

Let your AI agent scan its own tools. Add ToolTrust as an MCP server in your .mcp.json or claude_desktop_config.json:

{
  "mcpServers": {
    "tooltrust": {
      "command": "npx",
      "args": ["-y", "tooltrust-mcp"]
    }
  }
}

This gives your agent five security tools:

Tool Description
tooltrust_scan_config Scan all MCP servers in your .mcp.json or ~/.claude.json in parallel
tooltrust_scan_server Launch and scan a specific MCP server
tooltrust_scanner_scan Scan a JSON blob of tool definitions
tooltrust_lookup Look up a server's trust grade from this directory
tooltrust_list_rules List all security rules with IDs and descriptions

Claude Code users: ask your agent to run tooltrust_scan_config to audit every MCP server in your project in one shot.

🀝 Contribute

Request a scan β€” open an issue with the tool's public URL and version.

Dispute a finding β€” open an issue referencing the finding ID (e.g. AS-002).

Integrate ToolTrust Scanner β€” see docs/dev.md for the data pipeline and schema spec.

πŸ“› Add to your README

If your MCP server was audited and earned a grade, add our badge to your repo:

Grade A (recommended) β€” copy this into your README:

[![ToolTrust Grade A](https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-directory/main/docs/badges/grade-a.svg)](https://github.com/AgentSafe-AI/tooltrust-directory)

Other grades β€” replace grade-a with grade-s, grade-b, grade-c, grade-d, or grade-f:

Grade Badge
S Grade S
A Grade A
B Grade B
C Grade C
D Grade D
F Grade F

Badges link to this directory. Generate SVGs locally: go run ./cmd/badge

βš™οΈ Automation

The registry table above is kept up to date by a daily GitHub Actions workflow:

.github/workflows/daily-audit.yml   ← cron 00:00 UTC + manual dispatch

Each run:

  1. Discovers popular MCP servers via GitHub Search (50+ stars) plus Smithery-native servers (10+ uses)
  2. Scans new/updated tools with ToolTrust Scanner + OSV supply-chain analysis
  3. Publishes updated reports to data/reports/ and regenerates this README

Licensed MIT. Scanner engine: ToolTrust Scanner.

About

Trust layer for AI Agents. A curated registry of secure tools and MCP servers with A-F risk grading.

www.tooltrust.dev/

Topics

mcp ai-security supply-chain-security prompt-injection modelcontextprotocol tool-directory agent-safety

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages