Compuute MCP Security Scanner
FreeNot checkedScan any public GitHub MCP-server repo for security issues. 37 MCP-specific L1 rules, 8 languages.
About
Scan any public GitHub MCP-server repo for security issues. 37 MCP-specific L1 rules, 8 languages.
README
Scan-as-a-Service for MCP servers. HTTP + MCP wrapper around compuute-scan — the MCP-specific static security scanner. Designed for agent-callable consumption.
POST a public GitHub repo URL → get a structured security report scored against 37 MCP-specific rules across 8 languages (TS/JS, Python, Go, Rust, C#, Java, Kotlin).
Honesty note (read first): compuute-scan is a pattern-breadth detector, not an exploitability oracle. Historic false-positive rate after manual validation is ~90% on raw output (verified against modelcontextprotocol/servers: 138 raw findings → 13 confirmed). Every response carries a
_disclaimerfield stating this explicitly. Use findings as a triage queue, not as a list of confirmed vulnerabilities. See docs/FP-RATES.md for per-rule transparency.
Live at https://scan.compuute.se. Service version reported by /v1/health.
Endpoints
Core scan
| Method | Path | Purpose | Auth |
|---|---|---|---|
| POST | /v1/scan |
Scan a public GitHub MCP-server repo (free tier, rate-limited) | none |
| POST | /v1/scan/pay |
Same as above via x402 micropayment ($0.10 USDC on Base L2) | X-Payment header |
| GET | /v1/scan/info |
Scanner version + limits + supported ecosystems | none |
| GET | /v1/health |
Liveness + scanner-binary availability | none |
Machine-readable contracts
| Method | Path | Purpose |
|---|---|---|
| GET | /openapi.json |
OpenAPI v3 spec with per-field descriptions |
| GET | /docs |
Swagger UI for the OpenAPI spec |
MCP server (live)
| Endpoint | Tool | Transport |
|---|---|---|
/mcp/ |
scan_mcp_server(github_url) |
Streamable HTTP |
Install in Claude Code: claude mcp add compuute-scan --transport http --url https://scan.compuute.se/mcp/
Discovery (/.well-known/)
| Path | Format | Consumer |
|---|---|---|
/.well-known/agent.json |
A2A Agent Card | Google A2A protocol |
/.well-known/agent-card.json |
A2A Agent Card (alias) | A2A clients using -card.json naming |
/.well-known/ai-plugin.json |
OpenAI plugin manifest | ChatGPT / OpenAI tools |
/.well-known/x402.json |
x402 payment manifest | Coinbase Agent.market crawlers, x402 aggregators |
/.well-known/x402 |
Alias of x402.json |
x402 probes without .json suffix |
/llms.txt |
markdown summary | LLM-driven agent-search crawlers (Exa, Perplexity-style) per llmstxt.org |
/robots.txt |
crawler policy | search engines |
/sitemap.xml |
URL index | search engines |
Example
curl -X POST https://scan.compuute.se/v1/scan \
-H 'Content-Type: application/json' \
-H 'Idempotency-Key: 00000000-0000-0000-0000-000000000001' \
-d '{"repo_url": "https://github.com/modelcontextprotocol/servers"}'
Response (truncated):
{
"repo_url": "https://github.com/modelcontextprotocol/servers",
"scanner": {"name": "compuute-scan", "version": "0.6.2", "layers_covered": ["L0", "L1"]},
"summary": {"critical": 1, "high": 94, "medium": 22, "low": 0, "files_scanned": 77},
"score": 0,
"recommendation": "AVOID — 1 critical and 94 high finding(s)...",
"top_findings": [...],
"performance": {"clone_seconds": 1.2, "scan_seconds": 0.5, "repo_size_bytes": 41234},
"_disclaimer": "PATTERN MATCH — compuute-scan is a static analyzer..."
}
Agent-shaped API features
| Feature | How |
|---|---|
| Idempotent retries (24h cache) | Idempotency-Key header |
| HTTP cache | ETag + Cache-Control: public, max-age=1800 |
| Conditional GET | If-None-Match → 304 Not Modified |
| Rate-limit headers | X-RateLimit-Limit/Remaining/Reset |
| Strict input validation | Pydantic extra="forbid", GitHub-HTTPS-only |
| OWASP security headers | HSTS / X-Frame-Options / X-Content-Type-Options / CSP / Referrer-Policy / Permissions-Policy |
| OpenAPI for discovery | GET /openapi.json with descriptions on every field |
| MCP for agent discovery | /mcp/ exposes scan_mcp_server tool |
| x402 for autonomous purchase | /v1/scan/pay returns 402 with USDC/Base payment requirements |
| Honest framing | Every response carries _disclaimer — pattern match, not exploitability claim |
Pricing
| Tier | Audience | Price |
|---|---|---|
| Open Source CLI | Indie devs, agent builders | $0 — npx compuute-scan ./repo |
| Hosted API (free) | Agent operators evaluating MCP servers | $0 — POST /v1/scan, rate-limited |
| Hosted API (x402) | Autonomous agents in Agent.market ecosystem | $0.10 USDC/scan — POST /v1/scan/pay |
| MCP Security Audit | Enterprises shipping MCP to production | $5K–$30K SoW |
| AI Procurement Risk Audit | CFO/CTO/CISO buying enterprise AI capacity | $5K–$15K SoW |
Full breakdown with JSON-LD: https://compuute.se/pricing.
Local development
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
export COMPUUTE_SCAN_PATH=$HOME/compuute-scan/compuute-scan.js
uvicorn main:app --reload
Tests
pytest tests/ -v
# 34 tests covering scan, x402, MCP, discovery, OpenAPI
Scripts
| Script | What it does |
|---|---|
scripts/precheck.sh |
Start-of-session check: branch, working tree, tests, live state, next backlog item |
scripts/postcheck.sh |
End-of-session check: committer hygiene, tests, append to docs/PROGRESS.md |
scripts/status.sh |
30-second live-state check against scan.compuute.se (4 probes) |
scripts/sbom.sh |
Generate CycloneDX SBOM, optionally upload to a GitHub Release |
scripts/prospect-research.sh |
Pull qualified prospects from GitHub + Anthropic Registry, draft DM angles |
scripts/measure-tiers.sh |
T0/T1/T2 distribution snapshot per docs/agent-economy-strategy.md §5 — reach, engagement, conversion measured against Railway logs + Base RPC + GitHub stars |
Architecture
api/services/scan.py— clone + sandbox + scan + parse. Pure functions.api/services/x402_service.py— x402 verify / settle via Coinbase facilitator.api/serializers/scan_serializer.py— Pydantic models, strict validation.api/routes/scan.py— HTTP layer for/v1/scan: idempotency, cache, ETag.api/routes/scan_x402.py— HTTP layer for/v1/scan/pay.api/routes/discovery.py—/.well-known/*,/robots.txt,/sitemap.xml.api/mcp_server.py— FastMCP server exposingscan_mcp_server.main.py— FastAPI wiring + middleware (security headers, CORS).
Bundled compuute-scan version is pinned in the Dockerfile (ARG COMPUUTE_SCAN_REF=v0.6.2).
Documentation
| Doc | For |
|---|---|
| docs/agent-economy-strategy.md | The strategic doc — a16z-verified data, the 11-signal buyer-agent model, two-track strategy, 30-day pivot trigger. Read first if you're trying to understand the company. |
| docs/STRATEGY.md | Position, pricing tiers, roadmap, decision log |
| docs/ARCHITECTURE.md | Component diagram, request flow, threat model, deployment topology |
| docs/DEVELOPMENT.md | Local setup, layout, code style, common pitfalls — onboard a new dev in 30 min |
| docs/MONITORING.md | Endpoints to watch, automated checks, runbook for failures |
| docs/FP-RATES.md | Per-rule false-positive transparency |
| docs/scan-self-triage.md | What this scanner reports when run against its own code |
| docs/whitepaper/ | MCP Security Methodology v1.0 (Markdown + PDF) |
| docs/case-studies/ | Three anonymized engagement reports from the May 2026 batch |
| docs/advisories/ | Public advisories under the COMPUUTE-YYYY-NNN numbering |
| docs/security/ | Self-pentest reports (90-day cadence) |
| docs/audits/ | The AI Procurement Risk Audit checklist (lead magnet) |
| docs/compliance/ | SOC 2 Type I readiness statement, TSC control mapping |
| docs/submissions/ | LangChain + CrewAI tool wrappers ready for PR/marketplace |
| skills/compuute-scan/ | Claude Skill package (SKILL.md + scan.sh) — submitted to anthropics/skills#1346 |
| CODE_OF_CONDUCT.md | Contributor Covenant 2.1 |
| docs/launches/ | Show HN draft + posting checklist |
| docs/setup/ | Status page (BetterStack) + analytics (PostHog) setup guides |
| docs/agentic-market-submission.md | Three paths to Coinbase Agent.market listing |
| BACKLOG.md | GitHub Issues + Project board roadmap |
| IDEAS.md | Composted product hypotheses with gating rules |
| CONTRIBUTING.md | How to contribute |
| SECURITY.md | Vulnerability disclosure policy (90-day window) |
Security
Found a vulnerability? See SECURITY.md — email [email protected]. We follow a 90-day coordinated disclosure window.
License
MIT (matches compuute-scan).
Author
Compuute AB — [email protected]
Installing Compuute MCP Security Scanner
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/Compuute/compuute-scan-apiFAQ
Is Compuute MCP Security Scanner MCP free?
Yes, Compuute MCP Security Scanner MCP is free — one-click install via Unyly at no cost.
Does Compuute MCP Security Scanner need an API key?
No, Compuute MCP Security Scanner runs without API keys or environment variables.
Is Compuute MCP Security Scanner hosted or self-hosted?
A hosted option is available: Unyly runs the server in the cloud, no local setup required.
How do I install Compuute MCP Security Scanner in Claude Desktop, Claude Code or Cursor?
Open Compuute MCP Security Scanner on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Compuute MCP Security Scanner with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
