tanav.aiScanResearchARDGet Started
Open appTry free scan →
Scoring Methodology

How We Score MCP Repositories

Every score is deterministic, auditable, and traceable to a specific checker ID. No ML classifiers. No black boxes. Every point maps to a rule you can read.

Score Formula

The base score is a weighted sum of finding severities multiplied by a confidence factor, then a floor rule is applied based on the highest-risk finding category. Floors prevent CRITICAL findings from being buried by a large medium tail.

base = (CRITICAL×25 + HIGH×8 + MEDIUM×2 + LOW×0.3) × confidence
score = max(base, floor_from_finding_category)
score = min(score, 100)

confidence: AI-confirmed=1.0 · likely=0.8 · possible=0.5 · Known-FP checkers (CHK-133, CHK-108) do not trigger floor rules.

Score Bands

90–100
Confirmed Critical
Multiple AI-verified CRITICAL findings. Credential access, exfiltration, or permission bypass confirmed by automated + manual review.
e.g. CHK-115 credential access AI-confirmed · CHK-027 exfil + CHK-089 permission bypass
80–89
Critical
One or more CRITICAL findings from high-confidence checkers. Floor rule applied. Review immediately before connecting.
e.g. CHK-115 credential access in skill file · CHK-089 --dangerously-skip-permissions in runtime source
55–79
High
Multiple HIGH findings or single HIGH from a signal-heavy checker. Elevated risk — review before use.
e.g. 3+ CHK-125 excessive agency findings · CHK-049 no auth on network-accessible SSE server
30–54
Medium
MEDIUM findings present. Known dependency CVEs or minor misconfigurations. Review recommended.
e.g. CHK-036 CVE in dependency (moderate CVSS) · CHK-053 overly broad tool scope
1–29
Low
Minor findings. Informational patterns or low-confidence signals. Generally safe with awareness.
e.g. CHK-025 doc URL pattern (LOW) · CHK-131 minor config lint
0
Clean
No findings across all 120+ checkers. Vendor-maintained official servers typically score here.
e.g. stripe/agent-toolkit · modelcontextprotocol/server-filesystem

Floor Rules

Floor rules prevent a single severe finding from being undersold by a large low-severity distribution. Known false-positive checkers never trigger floors.

Trigger
Floor
Rationale
Any CRITICAL finding (confirmed/likely)
80
Hard floor — no CRITICAL repo scores below 80
Permission bypass (CHK-089, CHK-074)
80
Disables all user confirmation gates
Command injection in runtime path (CHK-081)
75
Shell exec with unsanitized input
curl|bash pipe detected (CHK-073)
65
Remote code execution at install time
3+ HIGH injection findings
60
Injection pattern density threshold
SSRF or path traversal HIGH (CHK-047)
55
Server-side request forgery or file traversal
No auth on server (CHK-049)
40
MCP server accepts unauthenticated tool calls

Checker Categories

Differentiator
CHK-115, CHK-119, CHK-027, CHK-089, CHK-140
Unique to Tanav. Covers the Anthropic artifact layer: SKILL.md credential access, Kiro steering injection, data exfiltration instructions, permission bypass. No competitor scanner covers these.
CVE / Dependency
CHK-036, CHK-CVE
OSV.dev + GitHub Advisory Database lookups. CVSS score maps to finding severity. Covers npm and PyPI package trees.
Secret Detection
CHK-042, CHK-043, CHK-108, CHK-133, CHK-141
Hardcoded credentials, API keys, DB URIs, SSH keys. Shannon entropy gate (>3.5 bits/char) required for CRITICAL. Known placeholder strings demoted to INFO.
Auth & Transport
CHK-049, CHK-090, CHK-142
Missing OAuth/API key validation, 0.0.0.0 bind without auth, SSE transport without middleware. Scoped to server repos — skill/hook/agent repos excluded.
Supply Chain
CHK-073, CHK-105, CHK-143, CHK-144
Unpinned npx/uvx versions, curl|bash pipes, postinstall remote fetches, GITHUB_OUTPUT secret exposure. The rug pull and install-time attack surface.
Injection / Prompt
CHK-023, CHK-116, CHK-119, CHK-121
Prompt injection in cursor rules, Kiro steering files, Copilot instructions, skill files. Patterns require explicit override language — normal imperative instructions do not fire.

OWASP MCP Top 10 Mapping

Finding type
OWASP MCP category
Checker
Credential access in skill files
MCP-T06: Sensitive Data Exposure
CHK-115
Permission bypass (skip-permissions)
MCP-T07: Privilege Escalation
CHK-089
Data exfiltration instruction
MCP-T08: Data Exfiltration
CHK-027
Unpinned npx/uvx version
MCP-T09: Supply Chain Compromise
CHK-144
Kiro / cursor rules injection
MCP-T03: Tool Poisoning
CHK-119/116
No auth on SSE server
MCP-T01: Unauthenticated Access
CHK-049
CVE in dependency
MCP-T09: Supply Chain Compromise
CHK-CVE

False Positive Control

Every checker ships with documented true positives and true negatives per ADR-010. We audit every high-volume checker against the live corpus before citing any statistics.

Hand-written
Detection rules
ADR-010: no ML classifiers in v1
120+
Checkers
All audited before corpus lock
107 passing
Automated tests
pytest + 42 manual verification cases