Static security scanner for MCP servers. POST a public GitHub URL, get back severity counts, a 0-100 score, top findings with file and line, and the scanner version that produced them.
37 rules across TypeScript, JavaScript, Python, Go, Rust, C#, Java, and Kotlin — every language with an official MCP SDK. Detects argument injection for npx/uvx/pipx/pnpx runner binaries (CWE-88), known CVEs in 40+ top packages, and L0 discovery checks (transport, tool inventory, dependency pinning, license compliance).
The API shallow-clones the target repo to an ephemeral tempdir, runs the scanner in static-analysis mode (never executes target code), parses the JSON output, and wipes the tempdir.
This is a pattern detector, not an exploitability oracle. Around 90% raw false-positive rate on unfiltered output. Every response carries a disclaimer to that effect. Per-rule false-positive rates published in docs/FP-RATES.md.
POST /v1/scan is free with no API key. POST /v1/scan/pay charges $0.10 USDC per scan via x402 on Base L2. Manual L2-L4 audits at compuute.se/audit when you need dataflow review.
Wraps compuute-scan (MIT, zero dependencies). Methodology paper and threat model in the repo.
Server Config
{
"mcpServers": {
"compuute-scan": {
"type": "http",
"url": "https://scan.compuute.se/mcp/"
}
}
}