What is MseeP and the Model Context Protocol?

MseeP is a security-first registry for Model Context Protocol (MCP) servers. The Model Context Protocol (MCP) was developed by Anthropic to enable AI assistants to connect with external data sources and tools. MseeP verifies these MCP servers are safe before you use them.

How can I use an MCP server?

You connect an MCP server to an MCP client (typically an AI or LLM application). The MCP server adds extra capabilities to that client, such as file access, API integrations, or specialized tools. Simply install your chosen MCP client, then add verified MCP servers from MseeP to extend its functionality.

What do I use an MCP server with?

MCP servers work with MCP clients including Claude Desktop (by Anthropic), Claude.ai (Web), Skydeck.ai, Cline, VS Code (with GitHub Copilot), Cursor IDE, Windsurf IDE, Zed, Continue, Cherry Studio, LibreChat, Roo Code, Goose, Groq Desktop, Sage, Refact, n8n, Warp (Terminal), 5ire, fast-agent, ChatMCP, Open MCP Client, Zola, HyperChat, FLUJO, and CLI Inspector. ChatGPT and Google tools are expected to deploy MCP server support soon.

How does MseeP verify MCP server security?

We perform automated security scans on every Model Context Protocol server, including dependency checks, vulnerability assessments, and code analysis. Each MCP server receives a trust rating from 0-5 stars based on security best practices.

Can I submit my MCP server to MseeP?

For open source projects: Make your MCP server public on GitHub with an open source license and include 'MCP Server' or 'mcp-server' in your README file. We'll automatically discover and scan it. For commercial or private MCP server listings, please inquire through our contact form.

Why is MCP server security important?

Model Context Protocol servers can access your system, files, and data through the MCP client. Without proper verification, malicious MCP servers could contain malware, exfiltrate data, or exploit vulnerabilities in your AI applications. MseeP ensures you only use trusted MCP servers.

Which MCP servers are most popular?

Popular verified MCP servers include filesystem access, web browsing, database connectors, and API integrations. Browse our categories to find trusted Model Context Protocol servers for your specific needs, all security-verified by MseeP.

How often are MCP server trust ratings updated?

We continuously monitor all Model Context Protocol servers in our registry. Trust ratings update automatically when new versions are released, dependencies change, or security vulnerabilities are discovered. Watch any MCP server to get notified of rating changes.

Webmcp - MCP Server

\n```\n\nThe WebMCP widget will automatically initialize and appear in the bottom right corner of your page. Clicking on it will ask for a webmcp token which the end-user will generate.\n\n### Full Demo (3 minutes)\n\nhttps://github.com/user-attachments/assets/43ad160a-846d-48ad-9af9-f6d537e78473\n\n## More Info About How It Works\n\nThe bridge between the MCP client and the website is a localhost-only (not accessible to requests outside your computer) websocket server. Because it is configured to allow requests from your local web browser, authentication / token exchange is required, in case you visit a website attempting to abuse this.\n\n_Ideally the web browser itself would have an explicit permission for this, like webcam or microphone use._\n\n1. The MCP client connects to the `/mcp` path using the server token from `.env` (auto-generated)\n2. The server generates a registration token (instigated via the built-in mcp tool by a model or the `--new` command)\n3. Web clients connect to the `/register` endpoint with this token and its domain.\n4. Web pages connect to their assigned channel based on their domain.\n5. When an LLM wants to use a tool / resource / prompt, the request flows from:\n - MCP Client \u2192 MCP Server \u2192 WebSocket Server \u2192 Web Page with the tool / resource / prompt\n - (similar for requesting a list of tools / resources / prompts)\n6. The web page performs the request (e.g. call tool) and sends the result back through the same path\n7. Multiple web pages can be connected simultaneously, each with their own set of tools and tokens\n8. The MCP client sees all tools as a unified list, with channel prefixes to avoid name collisions\n\n```mermaid\nsequenceDiagram\n participant User\n participant MCP as MCP Client\n participant Server as MCP Server\n participant WS as WebSocket Server\n participant Web as Website\n\n %% Initial connection\n MCP->>Server: Connect to /mcp with internal server token\n\n %% Website registration token\n User->>MCP: Request registration token\n MCP->>Server: Request registration token\n Server-->>MCP: Return registration token\n MCP-->>User: Display registration token\n\n %% Website registration\n User->>Web: Paste registration token\n Web->>WS: Connect to /register with token & domain (registration token deleted)\n WS-->>Web: Assign channel & session token\n Web->>WS: Connect to assigned channel\n\n %% Tool interaction\n MCP->>Server: Request tools list\n Server->>WS: Forward request\n WS->>Web: Request tools\n Web-->>WS: Return tools list\n WS-->>Server: Forward tools list\n Server-->>MCP: Return tools list\n\n %% Tool execution\n MCP->>Server: Tool request\n Server->>WS: Forward request\n WS->>Web: Execute tool\n Web-->>WS: Return result\n WS-->>Server: Forward result\n Server-->>MCP: Return result\n\n %% Disconnection\n User->>Web: Disconnect\n Web->>WS: Close connection\n```\n\n## Security\n\nThis is a super early project. I'm very interested in hardening security to prevent malicious extensions etc. from being\nable to perform prompt injection attacks and similar. If you have constructive ideas, please reach out or open an issue.\n\n## Built in tools\n\n- Token generator (for connecting to WebMCP websites)\n- MCP Tool Definer (to simplify building the schema of a tool for use with MCP)\n - You can ask for the javascript (if relevant) in a follow-up message for use with WebMCP\n\n## Docker\n\nThere is a `Dockerfile` specifically for Smithery deployment.\n\nIf you'd like to use docker to run the websocket server, I've added a `docker-compose.yml` for demonstration purposes.\n\nIf `--docker` is provided to the mcp client config alongside `--mcp`, it will assume the server is running. This will allow you to dockerize the main process (websocket server), and your mcp client will connect to your docker container via websocket. Similarly, websites will communicate with your docker container.", "installation_instructions": null, "categories": [ "Everything", "Infrastructure & Blockchain Tools", "System & Data Integrators" ], "owners": [], "owner": null, "code_snippets": { "status": "published", "package_name": "@mseep/webmcp", "package_type": "npm", "published_url": "https://www.npmjs.com/package/@mseep/webmcp", "package_version": "0.1.13", "macos_audit_passed": true }, "evaluation_results": [], "found_via_ownership_request": false, "security_scans": [ { "repo_url": "https://github.com/jasonjmcghee/WebMCP", "repo_name": "WebMCP", "score": 64, "risk_level": "high", "score_explanation": "Score starts at 100, deducts points for security issues, and adds points for security best practices", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "mcp_app_id": "f7c73fb9-8adc-44d7-8447-f3c236d6b7d8", "scan_time": "2025-04-11T23:45:53.715429+00:00", "created_at": "2025-04-11T23:45:53.715815+00:00", "updated_at": "2025-04-11T23:45:53.715817+00:00", "findings": [ { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/config.js", "meta_info": { "lines": " await fs.mkdir(CONFIG_DIR, {recursive: true});", "pattern": "", "rule_name": "file_access" }, "finding_id": "56edf84b-742a-45a1-9940-9726e6d833b4", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 14, "created_at": "2025-04-11T23:45:53.716780+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/config.js", "meta_info": { "lines": " await fs.access(somePath);", "pattern": "", "rule_name": "file_access" }, "finding_id": "3687bf41-9fec-416c-85b3-dfea998b35a5", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 49, "created_at": "2025-04-11T23:45:53.716785+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/config.js", "meta_info": { "lines": " await fs.mkdir(directory, { recursive: true });", "pattern": "", "rule_name": "file_access" }, "finding_id": "96f655d5-3a8b-4368-9dd1-e7152507109d", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 59, "created_at": "2025-04-11T23:45:53.716787+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/config.js", "meta_info": { "lines": " const rawJSON = await fs.readFile(clientConfigPath);", "pattern": "", "rule_name": "file_access" }, "finding_id": "b32b2fd3-c2c7-477f-9bee-45ff95f83fb5", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 77, "created_at": "2025-04-11T23:45:53.716789+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/config.js", "meta_info": { "lines": " await fs.writeFile(clientConfigPath, JSON.stringify(json, null, 2));", "pattern": "", "rule_name": "file_access" }, "finding_id": "71d3ab64-975c-48ba-ac3d-13f931dc7684", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 86, "created_at": "2025-04-11T23:45:53.716791+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/tokens.js", "meta_info": { "lines": " const data = await fs.readFile(TOKENS_FILE, 'utf8');", "pattern": "", "rule_name": "file_access" }, "finding_id": "0574e54d-6fb4-488d-86e2-6de2c7ede79b", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 34, "created_at": "2025-04-11T23:45:53.716794+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/tokens.js", "meta_info": { "lines": " await fs.writeFile(TOKENS_FILE, stringified, 'utf8');", "pattern": "", "rule_name": "file_access" }, "finding_id": "246e0d07-dfc7-4830-8fe0-2551818cd161", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 55, "created_at": "2025-04-11T23:45:53.716796+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/tokens.js", "meta_info": { "lines": " envContent = await fs.readFile(ENV_FILE, 'utf8');", "pattern": "", "rule_name": "file_access" }, "finding_id": "4bafff7d-b3ff-4003-acef-84f28e353552", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 71, "created_at": "2025-04-11T23:45:53.716798+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/tokens.js", "meta_info": { "lines": " await fs.writeFile(ENV_FILE, envContent, 'utf8');", "pattern": "", "rule_name": "file_access" }, "finding_id": "e2bda890-24ed-4801-aee8-c787d82ec7a7", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 87, "created_at": "2025-04-11T23:45:53.716800+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/websocket-server.js", "meta_info": { "lines": " const pidData = await fs.readFile(PID_FILE, 'utf8');", "pattern": "", "rule_name": "file_access" }, "finding_id": "8fd8360b-e6f4-471f-bd4d-7584edac8971", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 1221, "created_at": "2025-04-11T23:45:53.716802+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/websocket-server.js", "meta_info": { "lines": " await fs.unlink(PID_FILE);", "pattern": "", "rule_name": "file_access" }, "finding_id": "ba509fa9-47bb-4241-ab4d-243b0a918b4d", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 1231, "created_at": "2025-04-11T23:45:53.716804+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/websocket-server.js", "meta_info": { "lines": " await fs.writeFile(PID_FILE, process.pid.toString(), 'utf8');", "pattern": "", "rule_name": "file_access" }, "finding_id": "ed59afc6-f72a-4145-8cf2-5a649dc6a275", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 1243, "created_at": "2025-04-11T23:45:53.716806+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "730b13da-4ea2-46c9-b01e-5c28cff75907", "severity": "WARNING", "path": "WebMCP/src/websocket-server.js", "meta_info": { "lines": " fs.unlink(PID_FILE).catch(err => {", "pattern": "", "rule_name": "file_access" }, "finding_id": "6b3ac352-5f31-4029-8166-80a30e9c6838", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 1490, "created_at": "2025-04-11T23:45:53.716808+00:00" } ], "vulnerabilities": [] }, { "repo_url": "https://github.com/jasonjmcghee/WebMCP", "repo_name": "WebMCP", "score": 93, "risk_level": "low", "score_explanation": "Score starts at 100, deducts points for security issues, and adds points for security best practices", "scan_id": "fe405220-4e77-4b56-9ad9-0141b4ffccb4", "mcp_app_id": "f7c73fb9-8adc-44d7-8447-f3c236d6b7d8", "scan_time": "2025-04-29T12:58:36.877436+00:00", "created_at": "2025-04-29T12:58:36.877932+00:00", "updated_at": "2025-04-29T12:58:36.877934+00:00", "findings": [ { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.detect-insecure-websocket", "scan_id": "fe405220-4e77-4b56-9ad9-0141b4ffccb4", "severity": "ERROR", "path": "src/tokens.js", "meta_info": { "lines": " const serverAddress = `ws://${address}`;", "pattern": "", "rule_name": "detect-insecure-websocket.yaml" }, "finding_id": "0a9e5394-bf8f-4a75-9a42-1b43db8212a4", "message": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.", "line": 102, "created_at": "2025-04-29T12:58:36.878790+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.detect-insecure-websocket", "scan_id": "fe405220-4e77-4b56-9ad9-0141b4ffccb4", "severity": "ERROR", "path": "src/websocket-server.js", "meta_info": { "lines": " console.error(`WebMCP client URL: ws://${HOST}:${PORT}${MCP_PATH}?token=${serverToken}`);", "pattern": "", "rule_name": "detect-insecure-websocket.yaml" }, "finding_id": "653c5a90-2b57-41d2-aedf-3ac3dbef5bf8", "message": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.", "line": 1463, "created_at": "2025-04-29T12:58:36.878796+00:00" } ], "vulnerabilities": [] }, { "repo_url": "https://github.com/jasonjmcghee/WebMCP", "repo_name": "WebMCP", "score": 64, "risk_level": "high", "score_explanation": "Score starts at 100, deducts points for security issues, and adds points for security best practices", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "mcp_app_id": "f7c73fb9-8adc-44d7-8447-f3c236d6b7d8", "scan_time": "2025-04-25T05:53:19.357090+00:00", "created_at": "2025-04-25T05:53:19.357607+00:00", "updated_at": "2025-04-25T05:53:19.357610+00:00", "findings": [ { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/config.js", "meta_info": { "lines": " await fs.access(somePath);", "pattern": "", "rule_name": "file_access" }, "finding_id": "9ca74242-a813-4df4-94a4-4d6587d82ec4", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 49, "created_at": "2025-04-25T05:53:19.359473+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/config.js", "meta_info": { "lines": " await fs.mkdir(CONFIG_DIR, {recursive: true});", "pattern": "", "rule_name": "file_access" }, "finding_id": "234b786c-ce4e-44e0-8f60-7e878a8c237c", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 14, "created_at": "2025-04-25T05:53:19.359464+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/config.js", "meta_info": { "lines": " await fs.mkdir(directory, { recursive: true });", "pattern": "", "rule_name": "file_access" }, "finding_id": "5134aa03-07c6-469b-8de6-bdb4bc16bd0d", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 59, "created_at": "2025-04-25T05:53:19.359478+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/config.js", "meta_info": { "lines": " const rawJSON = await fs.readFile(clientConfigPath);", "pattern": "", "rule_name": "file_access" }, "finding_id": "81a7fe22-d488-4aed-a14b-bc434ff431d1", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 77, "created_at": "2025-04-25T05:53:19.359482+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/config.js", "meta_info": { "lines": " await fs.writeFile(clientConfigPath, JSON.stringify(json, null, 2));", "pattern": "", "rule_name": "file_access" }, "finding_id": "f3b48933-7015-4931-aca6-40efa203a789", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 86, "created_at": "2025-04-25T05:53:19.359485+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/tokens.js", "meta_info": { "lines": " const data = await fs.readFile(TOKENS_FILE, 'utf8');", "pattern": "", "rule_name": "file_access" }, "finding_id": "e58f9782-db39-4a6e-9d45-82c5c4dc5073", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 34, "created_at": "2025-04-25T05:53:19.359489+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/tokens.js", "meta_info": { "lines": " await fs.writeFile(TOKENS_FILE, stringified, 'utf8');", "pattern": "", "rule_name": "file_access" }, "finding_id": "780fc2ec-14e1-4785-8380-fe54857ba298", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 55, "created_at": "2025-04-25T05:53:19.359493+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/tokens.js", "meta_info": { "lines": " envContent = await fs.readFile(ENV_FILE, 'utf8');", "pattern": "", "rule_name": "file_access" }, "finding_id": "72e022d1-bda4-4a7a-9c90-44a06ba85ff5", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 71, "created_at": "2025-04-25T05:53:19.359496+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/tokens.js", "meta_info": { "lines": " await fs.writeFile(ENV_FILE, envContent, 'utf8');", "pattern": "", "rule_name": "file_access" }, "finding_id": "888fa1bd-5917-4147-a9f7-61bc5e014209", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 87, "created_at": "2025-04-25T05:53:19.359500+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/websocket-server.js", "meta_info": { "lines": " const pidData = await fs.readFile(PID_FILE, 'utf8');", "pattern": "", "rule_name": "file_access" }, "finding_id": "f06e49d8-acd4-448e-b3c9-62079289e709", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 1221, "created_at": "2025-04-25T05:53:19.359504+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/websocket-server.js", "meta_info": { "lines": " await fs.unlink(PID_FILE);", "pattern": "", "rule_name": "file_access" }, "finding_id": "6726629b-b92d-477e-a35a-b752f269b7d8", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 1231, "created_at": "2025-04-25T05:53:19.359507+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/websocket-server.js", "meta_info": { "lines": " await fs.writeFile(PID_FILE, process.pid.toString(), 'utf8');", "pattern": "", "rule_name": "file_access" }, "finding_id": "32d3c07c-5107-44c6-a644-2afaf92478d5", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 1243, "created_at": "2025-04-25T05:53:19.359511+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.fs-module-path-traversal", "scan_id": "e3f8433a-ea97-494a-93b3-78453622f924", "severity": "WARNING", "path": "WebMCP/src/websocket-server.js", "meta_info": { "lines": " fs.unlink(PID_FILE).catch(err => {", "pattern": "", "rule_name": "file_access" }, "finding_id": "cb5c2afd-d683-4ae4-b2c0-2d73523fd2bf", "message": "Potential path traversal in fs module. Ensure proper path validation.", "line": 1490, "created_at": "2025-04-25T05:53:19.359515+00:00" } ], "vulnerabilities": [] }, { "repo_url": "https://github.com/jasonjmcghee/WebMCP", "repo_name": "WebMCP", "score": 93, "risk_level": "low", "score_explanation": "Score starts at 100, deducts points for security issues, and adds points for security best practices", "scan_id": "ff0b50af-e1c7-4e63-b2b5-e2cde3a75d53", "mcp_app_id": "f7c73fb9-8adc-44d7-8447-f3c236d6b7d8", "scan_time": "2025-06-13T12:42:35.196443+00:00", "created_at": "2025-06-13T12:42:35.197461+00:00", "updated_at": "2025-06-13T12:42:35.197461+00:00", "findings": [ { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.detect-insecure-websocket", "scan_id": "ff0b50af-e1c7-4e63-b2b5-e2cde3a75d53", "severity": "ERROR", "path": "src/tokens.js", "meta_info": { "lines": " const serverAddress = `ws://${address}`;", "pattern": "", "rule_name": "detect-insecure-websocket.yaml" }, "finding_id": "9242013a-c7d6-4b41-886f-afd3d9b40815", "message": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.", "line": 102, "created_at": "2025-06-13T12:42:35.197461+00:00" }, { "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.detect-insecure-websocket", "scan_id": "ff0b50af-e1c7-4e63-b2b5-e2cde3a75d53", "severity": "ERROR", "path": "src/websocket-server.js", "meta_info": { "lines": " console.error(`WebMCP client URL: ws://${HOST}:${PORT}${MCP_PATH}?token=${serverToken}`);", "pattern": "", "rule_name": "detect-insecure-websocket.yaml" }, "finding_id": "78841901-9239-4aab-9ac4-ac631f96da7d", "message": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.", "line": 1463, "created_at": "2025-06-13T12:42:35.197461+00:00" } ], "vulnerabilities": [] } ] } }