Scanned May 4, 2026 · 03:34 UTC · http
3 of 31 checks need a closer look. 28 passed.
Public passive · 0 tools · 28 of 31 rules passed · anonymous· 0R · 0W · 0D
The signals that drove the score, in plain language.
Server validates the Origin header
The MCP server returns HTTP 403 to a POST whose `Origin` header points at a host other than its own. This is the documented DNS-rebinding mitigation in the MCP 2025-11-25 security best practices: a server that processes cross-origin requests can be coerced via DNS rebinding into accepting tool calls from any page in the user's browser. Real CVEs in this class include CVE-2025-10625 (Neo4j Cypher MCP) and CVE-2026-23744 (MCPJam Inspector).
What to do before you connect this server.
Failing rules at HIGH or CRITICAL severity: transport_validates_origin.
Six trust dimensions, each tagged Observed, Inferred, or Derived.
11/13 checks passed, 2 failed — 80%.
11/13 passed · 2 failed
3/4 checks passed, 1 failed (5 n/a) — 92%.
3/4 passed · 1 failed · 5 n/a
10/10 capability rules passed (10 n/a) — 100%.
10/10 passed · 10 n/a
4/4 checks passed (6 n/a) — 100%.
4/4 passed · 6 n/a
Per-tool capability and risk inferred from each tool’s name, description, and schema. No tool was invoked.
The server returned no tools.
Per-rule evidence, then the full rule list. Failing rules first.
{
"status": 200,
"sentOrigin": "https://agentreserve-rebind-probe.invalid",
"__applicable": true,
"__observationKind": "observed"
}Inferred from a passive probe — AgentReserve never invoked the tool or sent credentials, so behaviour at call time is not observed.
Validate the `Origin` header on every MCP request. Maintain an allow-list of acceptable origins (typically the operator's own clients) and return HTTP 403 on any mismatch. Localhost-only servers should additionally reject requests whose `Host` header points at any name other than the loopback addresses they bound to.
{
"present": false,
"__applicable": true,
"maxAgeSeconds": null,
"__observationKind": "observed"
}Inferred from a passive probe — AgentReserve never invoked the tool or sent credentials, so behaviour at call time is not observed.
Add `Strict-Transport-Security: max-age=31536000; includeSubDomains` (and consider `; preload` after submitting to the HSTS preload list) to all HTTPS responses.
{
"__applicable": true,
"toolsListError": "UPSTREAM_HTTP_ERROR",
"__observationKind": "observed"
}Inferred from a passive probe — AgentReserve never invoked the tool or sent credentials, so behaviour at call time is not observed.
Implement `tools/list` per the MCP spec; return an empty array if the server has no callable tools.
Server identity, protocol version, and TLS transport — the MCP-level signals a client needs before it talks to the server.
MCP Authorization spec — 'Authorization servers and resource servers MUST be served over HTTPS'; matches OWASP ASVS V9 transport requirements.
RFC 6797 — HTTP Strict Transport Security; OWASP ASVS V9.1.
MCP Authorization spec — 'Authorization endpoints and resource endpoints MUST be served over HTTPS.'
MCP base specification — `initialize` result schema requires `protocolVersion`; authorization profile assumes negotiated version.
MCP base specification — `initialize` result schema includes `serverInfo { name, version }`.
Whether the server cooperates with the MCP authorization profile when authorization is in use.
MCP Authorization spec — bearer token usage; defers to RFC 6750 §2 ('Authentication Schemes'), §2.3 forbids URI query parameter tokens for new applications.
MCP Authorization spec — discovery section; references RFC 9728 (OAuth 2.0 Protected Resource Metadata) at `/.well-known/oauth-protected-resource`.
RFC 9728 — does the server publish a `/.well-known/oauth-protected-resource` document, and does it name the right authorization servers?
No scoring rule currently evaluates this standard. The requirement is documented for reference.
RFC 9728 §3 — Protected Resource Metadata Request; documents at `/.well-known/oauth-protected-resource[/<path>]`.
RFC 9728 §2 — `resource` parameter; resource URI must identify the protected resource itself.
RFC 9728 §2 — `authorization_servers` array.
RFC 9728 §3.2 — `signed_metadata` JWT.
RFC 8414 / OpenID Connect Discovery — does the authorization server publish `/.well-known/oauth-authorization-server` with the required endpoints?
No scoring rule currently evaluates this standard. The requirement is documented for reference.
RFC 8414 §3 — Authorization Server Metadata Request, served at `/.well-known/oauth-authorization-server`.
RFC 8414 §2 — `issuer` field; §3.3 — validation rules.
RFC 8414 §2 — `authorization_endpoint`.
RFC 8414 §2 — `token_endpoint`.
RFC 8414 §2 — `jwks_uri`.
RFC 8414 §2 — `registration_endpoint`; RFC 7591 — Dynamic Client Registration.
RFC 9700 — current OAuth security guidance: PKCE, no implicit grant, audience-restricted tokens, careful redirect URIs.
RFC 9700 §2.1.1 — Redirect URI validation; §4.1 — Open redirector mitigation.
RFC 9700 §2.1 — 'Clients MUST use authorization code grant with PKCE'; RFC 7636 — PKCE.
RFC 9700 §2.1.2 — implicit grant prohibited; §2.4 — resource owner password credentials grant prohibited.
RFC 9700 §4.10 — Audience restriction; RFC 8707 — Resource Indicators for OAuth.
Heuristic alignment with the OWASP MCP Top 10 — keyword-driven indicators inferred from the public tool surface.
OWASP MCP Top 10 — Token / secret exposure (sensitive data disclosure through MCP tool surface).
OWASP MCP Top 10 — Scope creep / excessive privilege (over-broad capability surface).
OWASP MCP Top 10 — Tool poisoning (malicious or ambiguous tool definitions tricking agents into harmful calls).
OWASP MCP Top 10 — Insufficient authentication / authorization (sensitive capability exposed without identity or scope checks).
OWASP MCP Top 10 — Lack of telemetry / audit (no observable record of tool invocation).
OWASP MCP Top 10 — Context over-sharing (tools that pull excessive or PII-laden context into the agent).
The MCP server returns HTTP 403 to a POST whose `Origin` header points at a host other than its own. This is the documented DNS-rebinding mitigation in the MCP 2025-11-25 security best practices: a server that processes cross-origin requests can be coerced via DNS rebinding into accepting tool calls from any page in the user's browser. Real CVEs in this class include CVE-2025-10625 (Neo4j Cypher MCP) and CVE-2026-23744 (MCPJam Inspector).
{
"status": 200,
"sentOrigin": "https://agentreserve-rebind-probe.invalid",
"__applicable": true,
"__observationKind": "observed"
}The HTTPS endpoint returns a `Strict-Transport-Security` header with a non-trivial `max-age`. HSTS prevents trivial downgrade attacks by instructing user agents to refuse plain HTTP for the host going forward.
{
"present": false,
"__applicable": true,
"maxAgeSeconds": null,
"__observationKind": "observed"
}The MCP `tools/list` call returned an array (possibly empty) rather than failing. This is a precondition for the rest of the tool-surface evaluation and a baseline indicator that the server speaks MCP correctly.
{
"__applicable": true,
"toolsListError": "UPSTREAM_HTTP_ERROR",
"__observationKind": "observed"
}No advertised tool offers shell access, arbitrary code evaluation, subprocess spawning, or interpreter execution. Public code execution turns the MCP server into a remote shell for any agent that connects to it. The check is a keyword scan over name, description, and schema; a sandboxed-by-design `eval_expression` math tool will trip it. Hard-fail forces `block` so the operator must explicitly authorise the surface — typically by moving it behind authentication, scoping it to a sandboxed runtime, or renaming if the keyword match is incidental.
No advertised tool references credentials, secrets, API keys, tokens, private keys, or vault material. A public tool that returns or mutates authentication material lets any caller pivot to other systems. The check is a keyword scan over each tool's name, description, and input schema; a benignly-named utility like `validate_api_key_format` will trip it. Hard-fail forces `block` precisely so the operator must consciously override the heuristic — either rename the tool, move it behind authentication, or treat the report as advisory and document the exception.
The `serverInfo.name` and `serverInfo.version` advertised on `initialize` do not match any entry in the AgentReserve in-tree advisory catalog. The catalog (`src/lib/scoring/signals/known-advisories.ts`) is a small, curated, public list of MCP server implementations with documented security incidents — entries cite a public reference (CVE / GHSA / vendor advisory / post-mortem). A match is a hard-fail block: the operator should rotate to a fixed version (or off the implementation) before any further trust is extended.
No advertised tool mutates the host filesystem (write_file, delete_file, chmod, mkdir, …). Public filesystem mutation can plant payloads, overwrite configuration, or destroy host state. The check is a keyword scan over name, description, and schema; a content-store tool exposing `upload_file` against an isolated bucket will trip it. Hard-fail forces `block` so the operator either fences the tool behind authentication, scopes it to a content store that does not expose raw paths, or documents the exception as an explicit override.
The MCP endpoint is reached over HTTPS. Plain HTTP allows trivial credential and prompt leakage on any shared network path.
No advertised tool grants administrative control over the system (shutdown, terminate, revoke, suspend, grant_role, sudo, …). Public administrative control lets any caller take over or disable the host. The check is a keyword scan over name, description, and schema; a status-only tool like `get_subscription_grant` may trip it on the word `grant`. Hard-fail forces `block` so the operator either renames the tool, moves it behind authenticated operator interfaces, or documents the override.
No advertised tool matches destructive data verbs (delete, drop, purge, wipe, destroy, truncate). Destructive actions are typically irreversible and should be exposed under explicit, scoped authorization rather than a default `tools/list`.
No advertised tool's `inputSchema` exposes a free-form string property named `prompt`, `query`, `command`, `sql`, `instruction`, or `message` without an `enum`, `pattern`, or `maxLength` ≤ 200. These are the field shapes that let an upstream MCP server smuggle agent-instructable text — model prompts, SQL fragments, shell commands — into the call site.
The MCP endpoint completes a TLS handshake whose certificate validates against Node's CA store and matches the requested hostname. Untrusted, expired, or hostname-mismatched certificates are observable here even when the JSON-RPC handshake fails.
The endpoint URL has no userinfo segment and no token-like keys (`token`, `api_key`, `apikey`, `access_token`, `refresh_token`, `password`, `secret`, `client_secret`) in its query string. Credentials in URLs leak through logs, Referer headers, browser history, and intermediary caches.
No entry returned by `resources/list` advertises a URI that points at the local filesystem (`file://`), plaintext HTTP, a cloud-metadata host (`169.254.169.254`, `metadata.google.internal`), a loopback or RFC 1918 address, a link-local or IPv6 ULA address, or a private-TLD hostname (`*.local`, `*.internal`, …). A client that follows these URIs without further validation is the MCP analogue of an SSRF primitive.
For every tool that returns spec-defined annotations (`readOnlyHint`, `destructiveHint`, etc.), the hints do not contradict each other and do not contradict the capability the scanner inferred from the tool's name, description, and schema. Misdeclared annotations are the canonical rug-pull camouflage — a tool that calls itself read-only but deletes records.
Every tool returned by `tools/list` includes a non-empty JSON Schema for its arguments. Schema-less tools force agents to guess argument shapes and make pre-call validation impossible.
No tool description contains hidden-instruction tags (`<IMPORTANT>`, `<system>`, `<instructions>`), override phrases (`Ignore previous instructions`, `Disregard prior context`), identity hijacks (`Act as an admin`), or exfiltration directives (`Send results to https://…`). These are the canonical tool-poisoning patterns documented by Invariant Labs and the OWASP MCP Top 10 — the description reaches the model verbatim, and a malicious server uses it to manipulate behavior at read time.
Every URL advertised in protected resource metadata or authorization server metadata — `authorization_endpoint`, `token_endpoint`, `jwks_uri`, `registration_endpoint`, `revocation_endpoint`, `introspection_endpoint`, and the PRM `resource` — uses HTTPS and resolves to a publicly routable hostname (no loopback, RFC 1918, link-local, or private TLD). The discovery chain has no value if it points clients at the cloud metadata service or the loopback interface.
Every parsed authorization server metadata document advertises `S256` in `code_challenge_methods_supported`. RFC 9700 (OAuth 2.0 Security BCP) and OAuth 2.1 require PKCE on every authorization-code exchange, with S256 as the only acceptable challenge method (`plain` is forbidden).
The advertised authorization server metadata does not advertise the resource owner password credentials grant or the implicit grant. Both are flagged as insecure by RFC 9700 and by OAuth 2.1, and should not appear on a modern authorization server.
No advertised tool performs a financial action (pay, charge, refund, transfer, withdraw, invoice, …). Tools that move money should be explicitly authorized and reviewed individually.
Every authorization server advertised by the protected resource metadata uses an HTTPS issuer URL with no userinfo, fragment, or query. RFC 8414 and OpenID Connect Discovery both require HTTPS issuers — anything else allows trivial token interception.
The `initialize.instructions` string returned by the server contains no markdown link with a `javascript:` or `data:` target, no HTML tag a renderer would execute or fetch (`<script>`, `<img>`, `<iframe>`, `<svg>`, `<object>`, `<embed>`), and no inline URL on a non-HTTPS scheme. The instructions field reaches the model verbatim — same trust boundary as a tool description, same vector classes.
No advertised tool's `description` contains a markdown link with a `javascript:` or `data:` target, an HTML tag that a renderer would execute or fetch (`<script>`, `<img>`, `<iframe>`, `<svg>`, `<object>`, `<embed>`), or an inline URL on a non-HTTPS scheme. Each pattern is a vector for the upstream server to smuggle content past the agent's normal trust boundary.
No tool name, description or input schema references obvious PII fields (email, phone, ssn, password, …). This is a governance prompt, not a security failure — many legitimate CRM, HR, and support servers handle PII by design and will trip the rule. The intent is to make the PII surface visible during review, not to block it. Treat a fail as 'document data minimization, retention, and access controls', not 'remove the tool'.
The negotiated TLS version is 1.2 or 1.3. TLS 1.0 and 1.1 are deprecated by RFC 8996 and have known cryptographic weaknesses; servers offering them broaden the attack surface for downgrade and padding-oracle attacks.
No high-precision secret pattern (Bearer header, JWT, OpenAI/Anthropic key, GitHub PAT, AWS key, Stripe live key, PEM private key, etc.) appears in `initialize.instructions`, `serverInfo`, tool descriptions, or input schemas after the standard `redact()` pass.
When the server requires authentication (HTTP 401/403 to an unauthenticated probe), it also advertises either a `WWW-Authenticate` challenge or a discoverable `.well-known/oauth-protected-resource` document. This is what allows a client to start a standards-compliant authorization flow without out-of-band documentation.
The advertised tool surface (each tool's `name`, `description`, `inputSchema`, and `annotations`) hashes to the same value as the most recent prior scan of this server. A drift in any of those fields is the rug-pull pattern documented by the `postmark-mcp` September 2025 incident: a server changes a tool's behavior or name post-install while the user's existing approval still grants the agent access. The rule is silent on first scans (no prior surface to compare against).
No entry returned by `resources/list` or `prompts/list` contains a markdown link with a `javascript:` or `data:` target, an HTML tag a renderer would execute or fetch (`<script>`, `<img>`, `<iframe>`, `<svg>`, `<object>`, `<embed>`), or a non-HTTPS inline URL in its description (or name, for resources). Resources and prompts reach the model with the same trust as tool descriptions, so the same technical-injection classes apply.
Up to three https resources advertised by `resources/list` are fetched via `resources/read` (capped at 8 KB each, fully redacted) and scanned for the same injection patterns the scanner applies to tool descriptions: dangerous markdown links (`[text](javascript:…)` / `data:`), executable HTML tags (`<script>`, `<iframe>`, `<svg>`, `<object>`, `<embed>`), and inline non-https URLs. Until tier-3-final the probe scanned only the `resources/list` metadata; this rule closes the gap that a server can publish clean metadata while the resource body itself carries an injection payload.
The MCP endpoint hostname is not `localhost`, a loopback address, a private/link-local IP range, or a *.local / *.internal / *.intranet / *.lan name. Internal-only hostnames in a published MCP URL usually indicate a misconfigured deployment.
Every tool the capability classifier flags as destructive (delete/write/financial verb in name, description, or schema) sets `annotations.destructiveHint: true`. Companion rule to `tool_annotations_consistent` — that rule fires only on contradictions (`destructiveHint: false` on a destructive tool). This rule fires on silence: a destructive-classified tool whose annotations omit `destructiveHint` entirely. Silence is exactly the camouflage pattern an operator needs flagged.
The probe followed every `nextCursor` returned by `tools/list` until the server signalled the final page. The MCP spec lets servers paginate the tool list with an opaque `cursor`; an honest server returns the full surface across however many pages it needs. The probe enforces a 5-page / 500-item cap to bound the walk; hitting that cap is a tell that either the server is unusually large (operator should split it) or that a hostile server is hiding tools beyond the visible window.
No advertised tool sends an outbound message on the operator's behalf (send_email, send_sms, post_message, broadcast, notify, …). Messaging tools enable spam, phishing and impersonation if exposed without scoped review.
Every tool includes a non-empty `description`. Missing descriptions make capability review impossible without invoking the tool, which the scanner refuses to do.
`serverInfo.name` is lowercased and split on non-alphanumerics; tokens shorter than three characters and noise words (`mcp`, `server`, `service`, `api`, `the`, `official`) are dropped. The rule passes if any surviving token is a substring of the TLS certificate CN, any SAN, or the URL hostname (also lowercased). A name like "Slack MCP" served from `mcp.attacker.com` with no matching SAN is a passive identity-claim mismatch worth flagging. The check is deliberately generous — case-insensitive substring, any token — so single-word product names hosted on their own domain pass cleanly. False positives are possible on multi-tenant CDN hostnames (e.g. `*.cloudfront.net`) where the cert identity belongs to the platform, not the operator; treat a fail as 'investigate', not 'malicious'.
Every tool's `inputSchema` parses as a finite, well-formed JSON Schema document — no oversize blobs (>64 KB serialized), no nesting deeper than 32 levels, no `$ref` whose target is unresolvable or non-local, no recursion cycle through `$ref`. The existing `analyzeSchemaRisk` walker tolerates malformed schemas silently (it uses a WeakSet to avoid infinite loops) — so a schema this rule fails would otherwise reach the agent unchecked, defeating pre-call validation and review.
The set of tool names advertised by `tools/list` is a subset of the set advertised by the most recent prior scan of this server. A newly-added tool name is capability creep — the existing operator approval was granted against a smaller surface. Silent on first scans (no prior surface to diff against). Complement to `tool_surface_unchanged_since_last_scan`, which fires once on any drift; this rule surfaces specifically the additive subset with per-tool evidence.
For every tool whose name appears in both this scan and the most recent prior scan, the `description` field is byte-identical. A description rewrite with no name change is the canonical rug-pull camouflage: the existing approval still routes calls to the same tool name, but the documented behavior — and therefore the model's interpretation of the call — has shifted underneath. Silent on first scans.
When the server requires authentication (HTTP 401/403 to an unauthenticated probe), its `WWW-Authenticate` challenge carries a `resource_metadata=` parameter pointing at a fetchable URL, *or* a parseable `.well-known/oauth-protected-resource` document is discoverable at the host root or under the endpoint path. RFC 9728 / MCP Authorization §discovery require one or the other so a client can start the authorization flow without out-of-band documentation. Stricter than `auth_discovery_advertised_when_required`: that rule passes on any `WWW-Authenticate` header; this one requires the spec-correct PRM hint or document.
No tool description on this server appears on at least one OTHER distinct server in the AgentReserve fingerprint store. Cross-server collisions catch the camouflage pattern where a malicious server clones a benign server's tool description verbatim — and broader campaigns that ship multiple servers all advertising the same suspect description. Companion to `tool_surface_has_no_duplicate_descriptions`, which catches duplicates inside the *same* scan; this rule looks across history.
No advertised tool offers generic outbound network access (fetch_url, http_request, curl, wget, download, upload, …). A public network-fetch tool turns the MCP server into an open proxy and a SSRF pivot for any agent that connects to it.
When the operator opts into a deep scan (`deepScan: true` request flag, plus the server-side `AGENTRESERVE_ENABLE_DEEP_SCAN=true` env gate), the scanner attempts up to 3 `tools/call` invocations against tools the classifier marks as READ. Each call uses strictly-typed arguments synthesized from the tool's own `inputSchema` (only enum / const / pattern-constrained string / numeric / boolean primitives — no free-form sensitive fields). The rule passes when every attempted call either succeeded or returned a transport-level error (network, 404, etc.); it fails when at least one tool rejected its own schema-compliant input with a JSON-RPC protocol error. The default scan stays passive — this rule is non-applicable when active probing did not run.
When `serverInfo.name` matches a known-published MCP server in the in-tree allow-list (initially the official `@modelcontextprotocol/*` namespace), the advertised `serverInfo.version` matches the registry's `latest` dist-tag. The lookup is cached for one hour per package, never reaches a registry outside the allow-list, and returns `not-applicable` when the server isn't covered. Tier-final / T2.6 — minimum-viable manifest provenance.
The MCP `initialize` response includes a `protocolVersion`. Servers that omit it make safe client fallback impossible.
When the protected resource metadata advertises one or more authorization servers, at least one of those issuers publishes a parseable RFC 8414 / OpenID Connect Discovery metadata document. This is what tells a client where to send the user, where to fetch tokens, and where to verify signatures.
When authorization server metadata is discovered, it advertises a `token_endpoint`. Without one, clients cannot exchange authorization codes (or refresh tokens) for access tokens — the flow is inert.
When authorization server metadata is discovered, it advertises a `jwks_uri` so clients can verify token signatures. Required for any authorization server issuing signed tokens.
Every advertised tool name matches `/^[a-zA-Z][a-zA-Z0-9_.-]{0,63}$/` — a length-bounded ASCII identifier. Names with shell metacharacters, whitespace, control characters, or unicode look-alikes can confuse logging, agent argument parsers, and reviewers.
No advertised tool's `inputSchema` carries broad-shape smells: `additionalProperties: true`, untyped `object` properties, or sensitive free-form string fields (`query`, `command`, `path`, `url`, `sql`, `prompt`, `token`, `secret`) without an `enum`, `pattern`, or `format` constraint. Each one is a passive smell that lets a caller send input the schema does not document. Prompt-injection-shaped instructable-text fields specifically are scored under `prompt_injection_surface`; this rule retains the broader structural shape evidence at a lower weight.
Every tool's `description` is at most 4096 UTF-8 bytes. The model reads each description on every call, so an oversized description is both a per-call token-cost amplifier and a context-window-eviction primitive: a hostile server pads ignorable filler into a description so prior conversation gets pushed out before the agent decides what to do. 4 KB covers any benign documentation purpose.
The peer certificate's `notAfter` is at least 14 days in the future. Certificates that expire imminently cause sudden client-side failures and indicate an unmanaged renewal process.
Within the advertised `tools/list`, no two distinct tools share a byte-identical (post-trim) non-empty description. Within-server duplicate descriptions catch two failure modes: lazy / autogenerated catalogs where every tool reads the same boilerplate, and the camouflage pattern where a malicious tool inherits a benign sibling's description verbatim so a side-by-side reviewer can't tell them apart.
The `initialize` response includes a `serverInfo.name` so operators can recognize the implementation and cross-reference it with upstream advisories.
Servers exposing a very large number of tools (>50) increase the agent's blast radius. Smaller, focused servers are easier to audit and reason about.
The probe completed within the 3-redirect cap enforced by `safeFetch`. Long redirect chains complicate SSRF defense and indicate misconfigured deployments.
The full `initialize` + `tools/list` + (best-effort) `resources/list` / `prompts/list` walk completed in under 15 seconds. The 10-second per-call timeout still applies; this rule surfaces the aggregate budget across all calls. A probe that consistently takes longer than 15 seconds is either tarpitting (slow-roll responses to drive up scanner cost) or running on a misconfigured deployment.
The `initialize` response includes a `serverInfo.version` so operators can pin known-good builds and cross-reference upstream advisories.
The probe response stayed under the 1 MB cap enforced by `safeFetch`. Servers that return multi-megabyte JSON-RPC responses can exhaust client memory and indicate something is wrong with their tools/list output.
The probe transport layer accepted the response's content-type. MCP servers MUST return JSON-RPC over HTTP or SSE; any other content-type makes the response unusable.
What we did and did not look at.
The MCP endpoint did not return 401 or 403 to an unauthenticated request.
No WWW-Authenticate header was returned.
No protected-resource metadata document was parseable at the well-known URLs.
Protected-resource metadata did not list any authorization servers.
No authorization server advertised a `registration_endpoint`.
No `grant_types_supported` field was observed.
No `token_endpoint` was observed in authorization-server metadata.
No `jwks_uri` was observed in authorization-server metadata.
Initialize, tools/list and most tool metadata were retrieved. The score is based on a complete protocol read.
Server responded to the initialize handshake.
Server advertised an MCP protocol version.
Server advertised serverInfo.name.
Enumerated the advertised tool surface.
0 tools advertised.
No tools advertised, so nothing to check.
No tools advertised, so nothing to check.
Header GET returned HTTP 400.
Final response advertised `application/json`.
No redirects — final URL was the requested URL.
Certificate valid for another 62 days.
Never invoked by design. AgentReserve does not execute tools — safety is a structural invariant of the probe client.
Auth flows, token handling and permission boundaries were not exercised.
Server implementation, dependencies and supply chain were not audited.
No tool was executed, so side effects, latency, errors and rate limits were not observed.
What this report does not tell you
How this server has scored over time.
The scoring methodology has been updated since this report was generated (2026-05-03-final-active-provenance-feedback → 2026-05-06-rebalance-and-false-positive-disclosure). Rescan to compare against the current methodology.
Live badge — auto-updates on every rescan.[](https://agentreserve.dev/reports/6g4fmlv0b4)<a href="https://agentreserve.dev/reports/6g4fmlv0b4"><img src="https://agentreserve.dev/badge/svr_sbfiqhwcgk90cs15.svg" alt="AgentReserve security score for seolinkmap.com" /></a>[](https://agentreserve.dev/reports/6g4fmlv0b4)