MEOK MCP Hardening MCP
Automated security red-team for ANY MCP server. Maps the OWASP LLM Top 10 (2025) plus 5 MCP-specific risks to a 0-100 hardening score and an HMAC-signed report.
🛡️ Part of the MEOK Governance Substrate (£499/mo) — combine with
mcp-spec-compliance-mcpfor spec-grade conformity AND security-grade hardening on every server you ship.
What it does
Every MCP server you publish ends up loaded inside someone's agent loop. That makes the manifest itself an attack surface. This MCP reads any server.json (or live MCP descriptor) and returns a structured security report covering:
| Category | What we check |
|---|---|
| LLM01 Prompt injection | Instructional phrases in tool descriptions |
| LLM02 Insecure output | eval / exec / shell sinks |
| LLM05 Supply chain | Pinned versions, repo URL, provenance |
| LLM06 Secret disclosure | OpenAI / Anthropic / Stripe / GitHub / AWS / Slack keys in manifest |
| LLM07 Insecure plugin design | Missing name, over-broad tool surface |
| LLM08 Excessive agency | Destructive verbs (delete, send, transfer) without confirmation gate |
| LLM09 Overreliance | No license / homepage / metadata block |
| LLM10 Model theft | Public HTTP endpoint with no declared auth |
| MCP-S1 Tool-name spoofing | Non-ASCII characters / homoglyphs |
| MCP-S2 Roundtrip-input echoing | Untrusted-data sinks back to description |
| MCP-S3 Resource URI integrity | Plain http:// resources |
| MCP-S4 Privilege exposure | admin_* / sudo_* tools on public surface |
| MCP-S5 Long-running tool gating | No cancel signal documented |
Quick start
pip install meok-mcp-hardening-mcp
# or run with uvx (no install)
uvx meok-mcp-hardening-mcp
from server import audit
report = audit(your_server_json)
print(report.score(), report.grade()) # e.g. 87 "B"
Tools exposed
audit_server_json(server_json)— full reportaudit_tool_description(tool)— one-tool deep scancheck_destructive_surface(server_json)— just LLM08 findings (CI gate)check_supply_chain(server_json)— just LLM05 findingslist_owasp_findings()— rule map referencegenerate_hardened_template()— passing-score starter manifestsign_security_report(audit_result)— HMAC-seal for public verify
Scoring
Start at 100, subtract:
- 25 per critical finding
- 15 per high
- 8 per medium
- 3 per low
Grade: A ≥ 90 · B ≥ 80 · C ≥ 70 · D ≥ 60 · F otherwise.
Verify any signed report
Every signed report carries an HMAC tag. Verify at https://meok.ai/verify.
Why this exists
Every MCP author publishing to the Anthropic Registry, Smithery, Glama, or Awesome-MCP needs a clean security review. Every MCP consumer (Claude Desktop, Cursor, Windsurf) wants to verify what they're loading. This MCP is the seatbelt — free MIT, scriptable, signable.
Wire it up
// .mcp.json
{
"mcpServers": {
"meok-mcp-hardening": {
"command": "uvx",
"args": ["meok-mcp-hardening-mcp"]
}
}
}
Pricing
- Self-host: free (MIT)
- Starter: £29/mo — 1K hardening audits/month, signed report SLA
- Pro: £79/mo — 10K audits/month, branded badge, public verify URL
- Governance Substrate: £499/mo — bundled with 10 governance MCPs
- A2A Substrate: £999/mo — bundled with all 12 A2A MCPs + attestation chain
Companion MCPs
mcp-spec-compliance-mcp— schema conformity auditmeok-mcp-cardgen-mcp— generate.well-known/mcpcardagent-prompt-injection-firewall-mcp— runtime injection defencemeok-aaif-agent-card-mcp— AAIF agent identity
💸 Try MEOK in 30 seconds — instant buy ladder
| Tier | Price | What you get | Stripe |
|---|---|---|---|
| Smoke test | £1 | Signed sample MCP-Hardening report + Article 50 PDF | https://buy.stripe.com/dRmcN75ScdQS7oh1Uc8k90U |
| Quick Kit | £9 | EU AI Act Article 50 implementation guide (C2PA + EU-Icon) | https://buy.stripe.com/cNi00la8s1460ZT0Q88k90V |
| Founder Call | £29 | 30-min 1-on-1 with the founder | https://buy.stripe.com/8x228ta8s6oqbExaqI8k90W |
Refundable. UK Stripe — VAT-clean. Builds on the 81-MCP MEOK fleet.Verify any signed report at https://meok.ai/verify.
Legal
Built by MEOK AI Labs — trading name of CSOAI LTD, UK Companies House 16939677.Founder: Nicholas Templeman ([email protected]).License: MIT.
