MCP Guardian

MCPGuardian crawls and scores MCP servers for security, offering a searchable web UI and MCP API so humans and agents can find and safely use trusted servers.

Comment

VIDEO DEMO: https://www.loom.com/share/ba112f3617ab447b8daa0e32491f748b?sid=aaf04cb8-9784-4852-bf9e-53e56d7d89f8

GITHUB: https://github.com/varundataquest/MCPGuardian

Inspiration

As the MCP ecosystem grows rapidly, developers and agents face a challenge: which servers can be trusted, and which might be risky? We were inspired by the idea of building a “security layer” for MCP—something that not only helps users discover useful servers but also highlights their trustworthiness and safety posture.

What it does

MCP Guardian crawls public MCP registries, collects metadata about servers, and assigns each an explainable security score based on observable signals like HTTPS usage, GitHub activity, and hosting reliability. It provides a searchable web UI for humans and an MCP API server for agents, ensuring that both people and AI systems can find secure, relevant servers quickly.

How we built it

We built a Python FastAPI backend to handle crawling, enrichment, scoring, and REST/MCP endpoints, with results stored in Supabase for fast search. The Next.js frontend visualizes servers with score badges and detailed pages. We containerized the system with Docker, deployed it on Render, and added scripts for running hybrid, web-only, or MCP-only modes. Finally, we exposed tools like search_mcp_servers and analyze_server_security through the MCP protocol so agents can integrate directly.

Challenges we ran into

Designing a security score that was meaningful without full repo cloning or runtime testing.

Keeping discovery extensible while starting with only a few registries (Glama, mcp.so).

Ensuring the system worked in dual modes (for humans and MCP clients) without duplicating logic.

Debugging streaming responses for MCP’s streamable HTTP transport.

Accomplishments that we're proud of

Created a dual-purpose platform (UI + MCP server) with zero code duplication in scoring logic.

Developed an explainable scoring model (green/yellow/red badges) that makes security transparent at a glance.

Achieved one-click deployment via Render with all components integrated.

Built an agent-friendly API layer that lets other MCP clients enforce minimum security thresholds in production.

What we learned

We learned that building trust in open ecosystems requires a balance between practical heuristics (like HTTPS or repo health) and usability (fast search, clear badges). We also deepened our knowledge of MCP tooling, Supabase indexing, and how to bridge human UX with machine protocols in a single platform.

What's next for MCP Guardian

Next, we plan to expand coverage by adding new registry adapters (e.g., PulseMCP, GitHub topics), integrate AI-BOM/ModelScan hooks for deeper analysis, and support policy enforcement so organizations can block or allow MCP servers based on minimum scores. We also want to add webhooks and saved searches so users are notified when new trusted servers become available.

Built With

Share this project:

Updates