Security
Security90 checkspassive → adversarial
Can the server be coerced into doing something it shouldn't? Auth gaps, injection surfaces, token leaks, tools exposed without scope.
Every check declares the minimum intensity at which it runs and the worst severity a finding can carry. Expand one for what it does, what it depends on, and a reproduction you can run against a server you own. Counts are live, from library 0.29.0.
auth
4 checks
creds
4 checks
deps
2 checks
disclosure
6 checks
errors
3 checks
http
4 checks
manifest
1 check
mcp
23 checks
oauth
23 checks
output
1 check
prompt
3 checks
resource
4 checks
tasks
3 checks
tls
7 checks
transport
2 checks