MCP server security: a checklist for authors

What we look for

Every MCP server submitted to Unyly with a Verified badge passes this review. It's the same checklist we'd want any MCP author to use, badge or not.

1. Network egress

• Outbound calls go only to documented hosts (e.g. api.notion.com for a Notion MCP).
• No telemetry to ad networks, no analytics SDKs.
• If the server proxies user content, the destination is named in README.

2. Credentials handling

• Secrets come from env (Claude config), never from args.
• Never log full secrets. Mask after first 4 chars: sk-abc1***.
• If you cache tokens, do it in os.tmpdir() with mode 600, never in repo.

3. Filesystem scope

• No writes outside process.cwd() or explicitly user-provided paths.
• fs.unlink / fs.rm requires user-confirmation tool, not silent.
• No require() of user-controlled paths (RCE).

4. Tool design

• Each tool's description is honest about side effects.
• Destructive tools (delete, send, charge) are scoped: "delete one issue" not "delete all matching".
• Tool args validated with schema — reject unexpected fields.

5. Dependencies

• Audit npm audit clean.
• No abandoned (>2 years no commits) deps with CVE.
• Lockfile committed.

6. License

• License declared (MIT/Apache/BSD preferred).
• Forks credit upstream.

Why this matters

A bad MCP server can read every email, every Slack DM, every Postgres row your user has. Claude trusts MCPs with full delegation. The blast radius for a compromised server is enormous.

The Verified badge

Pass this review and you get a checkmark on your card. Verified servers convert ~4× better than unverified — users notice. Submit yours →