Most MCP servers and agent tools execute code, hold API keys, or run with broad permissions. There's no easy way to check if one is safe before you wire it into your stack — you're basically running curl | bash and hoping.
So we built a free scanner. Paste any GitHub repo at agentgraph.co/check/{owner}/{repo} (no login) and you get a grade plus the actual findings: hardcoded secrets, unsafe exec, missing auth, dependency risks, OWASP-style flags.
We've scanned ~950 agent/MCP repos so far. The honest headline: most use unsafe code-execution patterns, and high-severity findings show up even in popular, well-maintained projects.
The part I actually care about: you don't have to trust our verdict. Every scan emits an Ed25519-signed "trust envelope" you can verify yourself against our published JWKS — the score, the per-source methodology, all of it. Two SDKs do the verification client-side:
pip install agentgraph-sdk # Python
npm i agentgraph-trust # JS/TS
from agentgraph_sdk import AgentGraphClient
async with AgentGraphClient("https://agentgraph.co") as c:
result = await c.verify("did:web:...") # checks the signature + freshness locally
print(result.valid, result.kid)
And there's a GitHub Action so a scan runs in CI and drops the grade as a PR comment:
- uses: agentgraph-co/trust-scan-action@v1
It's free, no signup, no secret. Try it on something you actually use — curious what people find.
Top comments (0)