MCP concepts

MCP Score

The MCP Score is CheckMCP's vendor-neutral, explainable 0–100 grade for a Model Context Protocol server. It combines seven weighted pillars — security, tool design, schemas, reliability, context-cost, compliance and coverage — into one number, and attributes every deduction as measure → mechanism → effect, so the score is auditable rather than a black box.

The seven pillars

Each pillar measures one dimension of server quality: security (an OWASP MCP Top 10 pass, the top-weighted pillar), tool design (sprawl vs. consolidation, calibrated on real servers), schemas & descriptions (tool and input/output schema completeness), context-cost (tokens paid on every tools/list), compliance (protocol-version gap, annotations, JSON-RPC error conformance, OAuth discovery), reliability (drift over time), and coverage (tools, resources and prompts).

The pillars are weighted and summed to a 0–100 score, then mapped to a letter grade.

Hard floors

Some problems are categorical, not gradual. A hardcoded secret in a schema or a critical injection (tool poisoning) caps the grade at D no matter how clean the rest is; a failed protocol handshake caps it at F. These floors stop a server from buying back a serious security failure with polish elsewhere.

Explainable, and more than the endpoint

Every penalty is traceable: the report states what was measured, the mechanism, the effect on the agent, and the points lost — Lighthouse-style. CheckMCP also grades the backing GitHub repository separately as a Repo-Quality Score /100 (maintenance, license, adoption, documentation), so a server is judged on both its live behavior and its project health.

How CheckMCP handles it

The MCP Score is what CheckMCP produces for every audited server. It is computed in the open (the methodology is published), calibrated on a growing corpus of real MCP servers, and free — you get it by pasting a URL at checkmcp.dev or running the CLI. The score stays free as the acquisition layer; paid plans add continuous monitoring, behavioral evals and the in-band gateway.

Audit an MCP server ›

MCP Score — FAQ

What is a good MCP Score?+

Higher is better on the 0–100 scale, mapped to letter grades. A grade of A or B indicates strong security and design; C is moderate; D or F flags significant issues — and certain security failures (a secret in a schema, a critical injection, a failed handshake) hard-cap the grade regardless of the rest.

How is the MCP Score calculated?+

Seven weighted pillars (security, tool design, schemas, reliability, context-cost, compliance, coverage) are scored against the real MCP ecosystem and summed, with hard floors for categorical security failures. Every deduction is attributed to a measurable cause.

Is the MCP Score free?+

Yes. Auditing and the MCP Score are free, including the open-source CLI and the public directory. Continuous monitoring, on-demand behavioral evals and the in-band gateway are paid features.

What is the difference between the MCP Score and the Repo-Quality Score?+

The MCP Score grades the live server (security, tool design, schemas, context-cost, compliance, coverage, reliability). The Repo-Quality Score /100 separately grades the backing GitHub repository on maintenance, license, adoption and documentation.

MCP security MCP context cost MCP server