Live MCP server, scored
MCP server scanner for a live server
Paste a remote MCP endpoint. We connect, run the handshake, and grade the tools, resources, and prompts it advertises — the live counterpart to the static card validator.
Remote http(s) endpoints only — stdio servers can’t be reached from a hosted scanner. Read-only: we enumerate tool definitions, we never call your tools.
Last updated
What does the MCP server scanner check?
It speaks the protocol to the running server and grades the surface it returns — not a static card. Tool quality is weighted most heavily, because tool definitions are what an agent reasons over.
- Tool quality. A description on every tool and every parameter, an
outputSchemaper tool, annotations (readOnlyHint,destructiveHint, …), and agent-safe naming. - Server metadata. name, version, title, description, website, and icon in
serverInfo. - Resources & prompts. URIs, MIME types, and human-readable descriptions where offered.
- Capability honesty. Capabilities the server declares are actually populated (no declares-tools-serves-none drift).
- MCP Apps (UI). Interactive
ui://resources carry atext/htmlMIME type.
Frequently asked questions
- What is the MCP server scanner?
- It connects to a live, remotely-hosted MCP server over Streamable HTTP, runs the protocol handshake, and grades the advertised surface — tools, resources, and prompts — against MCP best practices. It returns an MCP score (0–100) with a plain-English fix for each issue. It's read-only: it never calls your tools, only enumerates their definitions.
- How is this different from the MCP card validator?
- The MCP card validator is static: it fetches and checks your /.well-known/mcp.json card. The MCP server scanner is live: it actually speaks the protocol to the running server and grades the real tool/resource/prompt definitions it returns. Card validator = 'is my card discoverable and well-formed?'; server scanner = 'is the running server actually high quality?'.
- What does the MCP score measure?
- Tool quality (descriptions on every tool, descriptions on every parameter, output schemas, annotations, naming), server metadata richness (name, version, title, description, website, icon), resource and prompt quality, capability honesty (declared capabilities that the server actually serves), and whether interactive MCP-Apps (ui://) resources carry the right MIME type. Tool quality is weighted most heavily.
- Can you scan a local (stdio) MCP server?
- No. A hosted scanner can only reach remotely-hosted MCP servers over http(s) (Streamable HTTP). stdio servers — the npm packages that run on your own machine — aren't reachable over the network, so paste a remote endpoint URL instead.
- Does the scanner need authentication?
- No. It performs an unauthenticated handshake and discovery (initialize, tools/list, resources/list, prompts/list), which most servers allow before auth. If a server requires authentication even for discovery, the scanner reports that and grades whatever surface it can reach.