← Back to search

@modelcontextprotocol/sdk

modelcontextprotocol NOASSERTION 12,468 stars Scanned 48d ago

Model Context Protocol implementation for TypeScript

C
60.7 / 100

Versions

@modelcontextprotocol/fastify@2.0.0-alpha.2 latest
Apr 1, 2026
@modelcontextprotocol/server@2.0.0-alpha.2
Apr 1, 2026
@modelcontextprotocol/hono@2.0.0-alpha.2
Apr 1, 2026
@modelcontextprotocol/express@2.0.0-alpha.2
Apr 1, 2026
@modelcontextprotocol/node@2.0.0-alpha.2
Apr 1, 2026
@modelcontextprotocol/client@2.0.0-alpha.2
Apr 1, 2026
@modelcontextprotocol/hono@2.0.0-alpha.1
Apr 1, 2026
@modelcontextprotocol/server@2.0.0-alpha.1
Apr 1, 2026
@modelcontextprotocol/fastify@2.0.0-alpha.1
Apr 1, 2026
@modelcontextprotocol/client@2.0.0-alpha.1
Apr 1, 2026
@modelcontextprotocol/express@2.0.0-alpha.1
Apr 1, 2026
@modelcontextprotocol/node@2.0.0-alpha.1
Apr 1, 2026
1.29.0
Mar 30, 2026
1.28.0
Mar 25, 2026
1.27.1
Feb 24, 2026
1.27.0
Feb 16, 2026
1.26.0
Feb 4, 2026
1.25.3
Jan 20, 2026
1.25.2
Jan 7, 2026
1.25.1
Dec 16, 2025
1.25.0
Dec 15, 2025
1.23.1
Dec 4, 2025
1.24.3
Dec 4, 2025
1.24.2
Dec 3, 2025
1.24.1
Dec 2, 2025
1.24.0
Dec 2, 2025
1.23.0
Nov 25, 2025
1.23.0-beta.0
Nov 20, 2025
1.22.0
Nov 13, 2025
1.21.2
Nov 13, 2025
1.21.1
Nov 7, 2025
1.21.0
Oct 30, 2025
1.20.2
Oct 24, 2025
1.20.1
Oct 16, 2025
1.20.0
Oct 9, 2025
1.19.0
Oct 2, 2025
1.18.2
Sep 25, 2025
1.18.1
Sep 18, 2025
1.18.0
Sep 18, 2025
1.17.5
Sep 2, 2025
1.17.4
Aug 21, 2025
1.17.3
Aug 14, 2025
1.17.2
Aug 7, 2025
1.17.1
Jul 31, 2025
1.17.0
Jul 24, 2025
1.16.0
Jul 17, 2025
1.15.1
Jul 10, 2025
1.15.0
Jul 3, 2025
1.14.0
Jul 3, 2025
1.13.3
Jul 1, 2025
1.13.2
Jun 26, 2025
1.13.1
Jun 23, 2025
1.13.0
Jun 18, 2025
1.12.3
Jun 12, 2025
1.12.2
Jun 12, 2025
1.12.1
May 29, 2025
1.12.0
May 22, 2025
1.11.5
May 21, 2025
1.11.4
May 16, 2025
1.11.3
May 15, 2025
1.11.2
May 12, 2025
1.11.1
May 8, 2025
1.11.0
May 1, 2025
1.10.2
Apr 22, 2025
1.10.1
Apr 18, 2025
1.10.0
Apr 17, 2025
1.9.0
Apr 7, 2025
1.8.0
Mar 26, 2025
1.7.0
Mar 11, 2025
1.6.1
Feb 28, 2025
1.6.0
Feb 24, 2025
1.5.0
Feb 12, 2025
1.4.1
Jan 24, 2025
1.4.0
Jan 23, 2025
1.3.2
Jan 22, 2025
1.3.1
Jan 21, 2025
1.3.0
Jan 20, 2025
1.2.0
Jan 20, 2025
1.1.1
Jan 10, 2025
1.1.0
Jan 3, 2025
1.0.4
Dec 17, 2024
1.0.3
Dec 4, 2024
1.0.1
Nov 26, 2024
1.0.0
Nov 25, 2024
0.7.0
Nov 20, 2024
0.6.1
Nov 20, 2024
0.6.0
Nov 16, 2024
0.5.0
Nov 15, 2024
0.4.0
Nov 11, 2024
0.3.2
Nov 7, 2024
0.3.1
Nov 7, 2024
0.3.0
Nov 7, 2024
0.2.0
Nov 6, 2024
0.1.0
Oct 23, 2024
PermissionsTool SafetyAuthAnnotationsCode QualityStabilitySpecVuln HistoryAuthorTransparencyCommunity

Tools 37

test-tool
missing low

A test tool

greet
missing low

Greet someone

contact
missing low

user
missing low

process
missing low

union-test
missing low

preprocess-test
missing low

transform-test
missing low

pipe-test
missing low

complex-transform
missing low

initial-tool
missing low

Initial tool

tool-1
missing low

Tool 1

tool-2
missing low

Tool 2

get-alerts
missing low

Get weather alerts for a state

get-forecast
missing low

Get weather forecast for a location

multi-greet
missing low

A tool that sends different greetings with delays between them

get-protocol-info
missing low

Returns protocol version configuration

collect-user-info
missing low

A tool that collects user information through form elicitation

start-notification-stream
missing low

Starts sending periodic notifications for testing resumability

list-files
missing low

Returns a list of files as ResourceLinks without embedding their content

long-task
missing low

A long-running task that sends progress updates. Server will disconnect mid-task to demonstrate polling.

get_weather
missing low

Get weather information for a city

calculate-bmi
missing low

Calculate Body Mass Index

fetch-data
missing low

Fetch data from a URL

idempotentHint true destructiveHint true
delete-file
consistent low

Delete a file from the project

idempotentHint true destructiveHint true
process-files
missing low

Process files with progress updates

summarize
missing low

Summarize text using the client LLM

collect-feedback
missing low

Collect user feedback via a form

list-workspace-files
missing low

List files across all workspace roots

whoami
missing low

Returns the authenticated subject.

a
missing low

x number
b
missing low

y number
out
missing low

n number
c
missing low

x number
echo
missing low

x number
test
missing low

ping
missing low

Permissions 4

network medium
Server uses network capabilities via: fetch()
filesystem low
Server uses filesystem capabilities via: fs sync ops
shell high
Server uses shell capabilities via: child_process, execSync(), spawn()
env_vars low
Server uses env_vars capabilities via: process.env

Scan Findings 205

info
Tool: delete-file manifest_parser · 85%
info
Tool: summarize manifest_parser · 85%
info
Tool: union-test manifest_parser · 85%
info
Tool: preprocess-test manifest_parser · 85%
info
Tool: transform-test manifest_parser · 85%
info
Tool: pipe-test manifest_parser · 85%
info
Tool: complex-transform manifest_parser · 85%
info
Tool: initial-tool manifest_parser · 85%
info
Tool: tool-1 manifest_parser · 85%
info
Tool: tool-2 manifest_parser · 85%
info
Tool: get-alerts manifest_parser · 85%
info
Tool: get-forecast manifest_parser · 85%
info
Tool: multi-greet manifest_parser · 85%
info
Tool: get-protocol-info manifest_parser · 85%
info
Tool: collect-user-info manifest_parser · 85%
info
Tool: start-notification-stream manifest_parser · 85%
info
Tool: list-files manifest_parser · 85%
info
Tool: process-files manifest_parser · 85%
info
package.json metadata manifest_parser · 100%
info
Tool: test-tool manifest_parser · 85%
info
Tool: greet manifest_parser · 85%
info
Tool: contact manifest_parser · 85%
info
Tool: user manifest_parser · 85%
info
Tool: collect-feedback manifest_parser · 85%
info
Tool: list-workspace-files manifest_parser · 85%
info
Tool: whoami manifest_parser · 85%
info
Tool: a manifest_parser · 85%
info
Tool: b manifest_parser · 85%
info
Tool: out manifest_parser · 85%
info
Tool: c manifest_parser · 85%
info
Tool: echo manifest_parser · 85%
info
Tool: test manifest_parser · 75%
info
Tool: ping manifest_parser · 85%
info
Transport: streamable-http manifest_parser · 80%
info
Required env vars (17) manifest_parser · 80%
low
Tool 'test-tool' has no annotations annotation_checker · 100%
low
Tool 'greet' has no annotations annotation_checker · 100%
low
Tool 'contact' has no annotations annotation_checker · 100%
low
Tool 'user' has no annotations annotation_checker · 100%
low
Tool 'process' has no annotations annotation_checker · 100%
low
Tool 'union-test' has no annotations annotation_checker · 100%
low
Tool 'preprocess-test' has no annotations annotation_checker · 100%
low
Tool 'transform-test' has no annotations annotation_checker · 100%
low
Tool 'pipe-test' has no annotations annotation_checker · 100%
low
Tool 'complex-transform' has no annotations annotation_checker · 100%
low
Tool 'initial-tool' has no annotations annotation_checker · 100%
low
Tool 'tool-1' has no annotations annotation_checker · 100%
low
Tool 'tool-2' has no annotations annotation_checker · 100%
low
Tool 'get-alerts' has no annotations annotation_checker · 100%
low
Tool 'get-forecast' has no annotations annotation_checker · 100%
low
Tool 'multi-greet' has no annotations annotation_checker · 100%
low
Tool 'get-protocol-info' has no annotations annotation_checker · 100%
info
Tool 'greet' annotations are consistent annotation_checker · 80%
info
Tool 'multi-greet' annotations are consistent annotation_checker · 80%
low
Tool 'collect-user-info' has no annotations annotation_checker · 100%
low
Tool 'start-notification-stream' has no annotations annotation_checker · 100%
low
Tool 'list-files' has no annotations annotation_checker · 100%
low
Tool 'long-task' has no annotations annotation_checker · 100%
low
Tool 'get_weather' has no annotations annotation_checker · 100%
low
Tool 'calculate-bmi' has no annotations annotation_checker · 100%
info
Tool 'list-files' annotations are consistent annotation_checker · 80%
info
Tool 'fetch-data' annotations are consistent annotation_checker · 80%
info
Tool 'delete-file' annotations are consistent annotation_checker · 80%
low
Tool 'process-files' has no annotations annotation_checker · 100%
low
Tool 'summarize' has no annotations annotation_checker · 100%
low
Tool 'collect-feedback' has no annotations annotation_checker · 100%
low
Tool 'list-workspace-files' has no annotations annotation_checker · 100%
low
Tool 'whoami' has no annotations annotation_checker · 100%
low
Tool 'a' has no annotations annotation_checker · 100%
low
Tool 'b' has no annotations annotation_checker · 100%
low
Tool 'out' has no annotations annotation_checker · 100%
low
Tool 'c' has no annotations annotation_checker · 100%
low
Tool 'echo' has no annotations annotation_checker · 100%
low
Tool 'fetch-data' has no annotations annotation_checker · 100%
low
Tool 'test' has no annotations annotation_checker · 100%
low
Tool 'ping' has no annotations annotation_checker · 100%
info
Tool 'test' annotations are consistent annotation_checker · 80%
high
Hardcoded OAuth client secret in test/integration/test/issues/test_1342OauthErrorHttp200.test.ts auth_checker · 95%
high
Hardcoded OAuth client secret in examples/client/src/clientGuide.examples.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/test/client/auth.test.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/test/client/streamableHttp.test.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/test/client/crossAppAccess.test.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/test/client/sse.test.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/test/client/authExtensions.test.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/src/client/crossAppAccess.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/src/client/authExtensions.ts auth_checker · 95%
medium
Permission: network access detected permission_analyzer · 70%
low
Permission: filesystem access detected permission_analyzer · 90%
high
Permission: shell access detected permission_analyzer · 95%
low
Permission: env_vars access detected permission_analyzer · 90%
medium
Vulnerable dependency: better-auth@1.4.17 (GHSA-wxw3-q3m9-c3jr) dependency_analyzer · 95%
medium
Buffer.from base64 in packages/client/test/client/sse.test.ts:23 entropy_analyzer · 75%
info
SLSA Build Level 3 detected slsa_assessor · 85%
high
High-risk OAuth scope: admin oauth_scope_analyzer · 80%
info
Could not connect to MCP server for output poisoning scan output_poisoning · 100%
info
Could not connect to MCP server for behavioral verification behavioral_verifier · 100%
info
SBOM generated: 68 components sbom_generator · 100%
info
MITRE ATLAS technique coverage summary atlas_annotator · 100%
info
ATLAS: Adversarial ML Supply Chain (AML.T0043) atlas_annotator · 100%
info
ATLAS: Poison Training Data (AML.T0020) atlas_annotator · 100%
info
Tool: long-task manifest_parser · 85%
info
Tool: get_weather manifest_parser · 85%
info
Tool: process manifest_parser · 85%
info
Tool: calculate-bmi manifest_parser · 85%
info
Tool: fetch-data manifest_parser · 85%
high
Hardcoded OAuth client secret in packages/client/test/client/streamableHttp.test.ts auth_checker · 95%
info
package.json metadata manifest_parser · 100%
info
Tool: test-tool manifest_parser · 85%
info
Tool: greet manifest_parser · 85%
info
Tool: contact manifest_parser · 85%
info
Tool: user manifest_parser · 85%
info
Tool: process manifest_parser · 85%
info
Tool: union-test manifest_parser · 85%
info
Tool: preprocess-test manifest_parser · 85%
info
Tool: transform-test manifest_parser · 85%
info
Tool: pipe-test manifest_parser · 85%
info
Tool: complex-transform manifest_parser · 85%
info
Tool: initial-tool manifest_parser · 85%
info
Tool: tool-1 manifest_parser · 85%
info
Tool: tool-2 manifest_parser · 85%
info
Tool: get-alerts manifest_parser · 85%
info
Tool: get-forecast manifest_parser · 85%
info
Tool: multi-greet manifest_parser · 85%
info
Tool: get-protocol-info manifest_parser · 85%
info
Tool: collect-user-info manifest_parser · 85%
info
Tool: start-notification-stream manifest_parser · 85%
info
Tool: list-files manifest_parser · 85%
info
Tool: long-task manifest_parser · 85%
info
Tool: get_weather manifest_parser · 85%
info
Tool: calculate-bmi manifest_parser · 85%
info
Tool: fetch-data manifest_parser · 85%
info
Tool: delete-file manifest_parser · 85%
info
Tool: process-files manifest_parser · 85%
info
Tool: summarize manifest_parser · 85%
info
Tool: collect-feedback manifest_parser · 85%
info
Tool: list-workspace-files manifest_parser · 85%
info
Tool: whoami manifest_parser · 85%
info
Tool: a manifest_parser · 85%
info
Tool: b manifest_parser · 85%
info
Tool: out manifest_parser · 85%
info
Tool: c manifest_parser · 85%
info
Tool: echo manifest_parser · 85%
info
Transport: streamable-http manifest_parser · 80%
info
Required env vars (17) manifest_parser · 80%
low
Tool 'test-tool' has no annotations annotation_checker · 100%
low
Tool 'greet' has no annotations annotation_checker · 100%
low
Tool 'contact' has no annotations annotation_checker · 100%
low
Tool 'user' has no annotations annotation_checker · 100%
low
Tool 'process' has no annotations annotation_checker · 100%
low
Tool 'union-test' has no annotations annotation_checker · 100%
low
Tool 'preprocess-test' has no annotations annotation_checker · 100%
low
Tool 'transform-test' has no annotations annotation_checker · 100%
low
Tool 'pipe-test' has no annotations annotation_checker · 100%
low
Tool 'complex-transform' has no annotations annotation_checker · 100%
low
Tool 'initial-tool' has no annotations annotation_checker · 100%
low
Tool 'tool-1' has no annotations annotation_checker · 100%
low
Tool 'tool-2' has no annotations annotation_checker · 100%
low
Tool 'get-alerts' has no annotations annotation_checker · 100%
low
Tool 'get-forecast' has no annotations annotation_checker · 100%
low
Tool 'multi-greet' has no annotations annotation_checker · 100%
low
Tool 'get-protocol-info' has no annotations annotation_checker · 100%
info
Tool 'greet' annotations are consistent annotation_checker · 80%
info
Tool 'multi-greet' annotations are consistent annotation_checker · 80%
low
Tool 'collect-user-info' has no annotations annotation_checker · 100%
low
Tool 'start-notification-stream' has no annotations annotation_checker · 100%
low
Tool 'list-files' has no annotations annotation_checker · 100%
low
Tool 'long-task' has no annotations annotation_checker · 100%
low
Tool 'get_weather' has no annotations annotation_checker · 100%
low
Tool 'calculate-bmi' has no annotations annotation_checker · 100%
info
Tool 'list-files' annotations are consistent annotation_checker · 80%
info
Tool 'fetch-data' annotations are consistent annotation_checker · 80%
info
Tool 'delete-file' annotations are consistent annotation_checker · 80%
low
Tool 'process-files' has no annotations annotation_checker · 100%
low
Tool 'summarize' has no annotations annotation_checker · 100%
low
Tool 'collect-feedback' has no annotations annotation_checker · 100%
low
Tool 'list-workspace-files' has no annotations annotation_checker · 100%
low
Tool 'whoami' has no annotations annotation_checker · 100%
low
Tool 'a' has no annotations annotation_checker · 100%
low
Tool 'b' has no annotations annotation_checker · 100%
low
Tool 'out' has no annotations annotation_checker · 100%
low
Tool 'c' has no annotations annotation_checker · 100%
low
Tool 'echo' has no annotations annotation_checker · 100%
low
Tool 'fetch-data' has no annotations annotation_checker · 100%
high
Hardcoded OAuth client secret in test/integration/test/issues/test_1342OauthErrorHttp200.test.ts auth_checker · 95%
high
Hardcoded OAuth client secret in examples/client/src/clientGuide.examples.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/test/client/auth.test.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/test/client/crossAppAccess.test.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/test/client/sse.test.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/test/client/authExtensions.test.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/src/client/crossAppAccess.ts auth_checker · 95%
high
Hardcoded OAuth client secret in packages/client/src/client/authExtensions.ts auth_checker · 95%
medium
Permission: network access detected permission_analyzer · 70%
low
Permission: filesystem access detected permission_analyzer · 90%
high
Permission: shell access detected permission_analyzer · 95%
low
Permission: env_vars access detected permission_analyzer · 90%
medium
Vulnerable dependency: better-auth@1.4.17 (GHSA-wxw3-q3m9-c3jr) dependency_analyzer · 95%
medium
Buffer.from base64 in packages/client/test/client/sse.test.ts:23 entropy_analyzer · 75%
info
SLSA Build Level 3 detected slsa_assessor · 85%
high
High-risk OAuth scope: admin oauth_scope_analyzer · 80%
info
Could not connect to MCP server for output poisoning scan output_poisoning · 100%
info
Could not connect to MCP server for behavioral verification behavioral_verifier · 100%
info
SBOM generated: 66 components sbom_generator · 100%
info
MITRE ATLAS technique coverage summary atlas_annotator · 100%
info
ATLAS: Adversarial ML Supply Chain (AML.T0043) atlas_annotator · 100%
info
ATLAS: Poison Training Data (AML.T0020) atlas_annotator · 100%