Skip to main content
Glama

SafeSkill

One-click security audit for your MCP setup.

One score. Plain English. No CLI knowledge required.

We Scanned the MCP Ecosystem

We downloaded and scanned 3,093 MCP packages from npm and the official MCP registry. The results:

  • 858 packages (28%) had at least one security finding

  • 397 packages (13%) rated RED (score below 50)

  • 176 packages scored a flat 0/100

Cisco, 1Password, Snyk, and Bitdefender have all flagged MCP's lack of sandboxing and permissions as a serious risk. We built SafeSkill to let you check for yourself.

Read the full analysis: I Scanned 3,093 MCP Servers. Here's What I Found.

Related MCP server: MCP Security Scanner

Try It Now

No install required. Paste any npm package name into the web scanner:

getsafeskill.vercel.app

Quick Start

Add SafeSkill to your MCP configuration and just ask your agent:

"Check if my MCP setup is safe"

{
  "mcpServers": {
    "safeskill": {
      "command": "npx",
      "args": ["-y", "safeskill"]
    }
  }
}

As a CLI

# Scan your entire setup
npx safeskill

# Scan a specific skill
npx safeskill scan ./my-mcp-server

# Check config only
npx safeskill config

# JSON output
npx safeskill --format=json

What It Detects

Critical

  • Dynamic code execution (eval(), new Function())

  • Shell command injection

  • Data exfiltration to Telegram/Discord/paste sites

  • Access to SSH keys, cloud credentials, crypto wallets, browser data

  • Prompt injection in skill descriptions

  • Environment variable theft over network

  • Crypto wallet address replacement

High

  • Child process spawning

  • Outbound HTTP to raw IP addresses

  • Bulk environment variable harvesting

  • Base64/hex obfuscation at runtime

  • JavaScript code obfuscation

  • Hardcoded API keys and secrets

  • Access to .env and dotfiles

  • Exposed ports (0.0.0.0 binding)

  • Disabled authentication flags

Medium

  • Data encoding before transmission

  • Hidden Unicode characters

  • Hardcoded secrets in config

  • Supply chain risk (npx/uvx execution)

Scoring

Each skill gets a score from 0-100:

Score

Rating

Meaning

80-100

GREEN

No significant issues found

50-79

YELLOW

Some concerns, review the findings

0-49

RED

Serious issues, remove or replace this skill

Scores are based on the number and severity of findings, with diminishing returns for repeated instances of the same issue.

Overall Score: 62/100 YELLOW [############--------]

Found 7 security issues across 4 skills.

Skills you should remove:
- sketchy-data-tool (Score: 15/100) — tries to read your SSH keys and send them to a server
- crypto-helper (Score: 35/100) — contains a hardcoded crypto wallet address

Skills to review:
- file-manager (Score: 65/100) — can run system commands on your computer

Clean skills: weather, calculator, notes

Output Formats

  • Conversational: Chat-friendly summary for use in MCP agents

  • Detailed: Full markdown report with all findings

  • JSON: Machine-readable output for automation

Building from Source

git clone https://github.com/gabchess/safeskill.git
cd safeskill
npm install
npm run build

License

MIT

A
license - permissive license
-
quality - not tested
D
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/gabchess/safeskill'

If you have feedback or need assistance with the MCP directory API, please join our Discord server