Two out of three MCP servers fail security checks
Pulrix runs every MCP server through 6 security layers: package malware scanning, supply chain behavioral analysis, CVE database checks, static code analysis, MCP-specific tool poisoning detection, and prompt injection pattern matching. One command. One grade. Before you install.
Free. No signup. Works right now.
$ npx pulrix search "postgres"
Pulrix - results for "postgres"
Grade Score Server Description
──────────────────────────────────────────────────────────────
A 82/100 crystaldba/postgres-mcp All-in-one MCP server for PostgreSQL
B 71/100 neondatabase/mcp-server-neon Nile’s Postgres platform connector
C 54/100 pg-mcp-server Read-only PostgreSQL queries
F 12/100 sketchy-postgres-tool 1 critical security finding10 queries/day free. No account needed.
9 quality signals. 6 security layers. One grade.
We check what humans check (tests, types, docs, activity) and what humans miss (malicious install scripts, obfuscated code, tool poisoning, hidden Unicode, CVEs in transitive deps).
Quality
Does it look like someone cared when they built this?
- Actual MCP SDK in dependencies (not just "mcp" in keywords)
- README over 200 characters. Tests that exist. Types that compile.
- Stars, forks, commit frequency, issue response rate
- npm advisory check against known vulnerable packages
Security
Is it trying to steal your SSH keys? We check.
- Package binary scanned against 70+ antivirus engines via VirusTotal
- Supply chain behavioral analysis: install scripts, data exfil, obfuscated code
- Static code analysis with 20,000+ security rules (Semgrep)
- MCP-specific: tool poisoning, rug pulls, toxic flow detection
- OSV.dev + GitHub Advisories: known CVEs across npm, PyPI, Go, Rust
- 50+ prompt injection patterns in tool descriptions + hidden Unicode
One critical finding caps the grade at D. VirusTotal malware detection = automatic F.
Works where you work
Terminal. HTTP. Or let your AI agent search for its own tools.
CLI
One command. Instant grades.
npx pulrix search "email" npx pulrix info github:owner/repo npx pulrix check https://github.com/...
REST API
Plug it into your CI pipeline.
curl "https://api.pulrix.dev/ api/v1/search?q=postgres" # Fail builds on F-grade deps curl "https://api.pulrix.dev/ api/v1/compare?ids=a,b"
MCP Server
Your agent picks its own tools.
{
"mcpServers": {
"pulrix": {
"command": "npx",
"args": ["-y", "pulrix", "mcp"]
}
}
}The MCP server went down at 2 AM. Did you know?
Breaking schema changes. New CVEs. Servers going dark. Pulrix tracks it all across the MCP server space and publishes a free incident feed. When something breaks, you find out before your agents do.
Free page, updated weekly. $19/mo gets you real-time alerts, API access, and webhooks.
View live incidents →"95% of MCP servers are utter garbage."
Reddit, r/MCP. We scanned them. The number is closer to 66%. Still bad.
Free until you need more
Most people never pay. That's fine. The scores are the point.
Free
- 10 queries/day
- Search + full scores
- CLI + MCP server
- Public incident feed
Alerts
- Real-time incident alerts
- Full API + webhooks
- 30-day history
Pro
- Unlimited queries
- API key
- CI/CD quality gate
- On-demand checks
Certified
- Badge for your README
- Promoted in search
- Analytics
- Weekly re-testing
You wouldn't npm install a package with 0 downloads and no README.
So why are you connecting MCP servers you found on a random GitHub list?
Check first. Install second.
npx pulrix search "postgres"