loading…
Search for a command to run...
loading…
▸ TL;DR
Check 4 things: 1) Source code is public and reviewed, 2) Author has reputation (verified badge on Unyly), 3) Required env vars are reasonable (no broad scopes), 4) Security scan passed. Unyly auto-runs all four for every MCP.
Open Unyly catalogVetting checklist: (1) Read the source — never install from a binary-only release. Stdio MCPs run as subprocesses with your env vars; bad code = breach. (2) Check the author. Verified badge on Unyly means we've confirmed identity. (3) Audit the required env vars — a "filesystem MCP" asking for AWS keys is suspicious. (4) Check security scan results — Unyly scans for leaked secrets in published code, suspicious deps, abnormal package size. (5) Prefer MCPs with star count or install count > 100 (community-vetted). (6) For high-stakes deployments, run MCPs in a sandbox or use Unyly's hosted runners with network restrictions.
Yes, when you use MCPs from a vetted catalog. Unyly auto-scans every MCP for leaked secrets and malicious dependencies. Avoid installing random GitHub gists without verification.
API keys are passed to the MCP server as environment variables when it starts. The MCP server reads them and uses them to call upstream APIs. The LLM never sees the raw credentials — only sees the tools they enable.
Unyly aggregates the largest MCP catalog (15,000+) from all major sources — Official Registry, npm, Smithery, PulseMCP, Glama. With one-click install, semantic search, security scans and version pinning. Free.