Your MCP Server Has
Security Debt You Don't Know About.
We audit MCP servers against EU AI Act Articles 9, 11, 13, 15 and 17 — and produce a signed PDF compliance report with every finding mapped to a specific regulatory requirement and a prioritized remediation roadmap.
Live Demo — Official Anthropic MCP Filesystem Server
We audited @modelcontextprotocol/server-filesystem — the official Anthropic reference implementation installed by millions of Claude Code, Cursor, and Windsurf users. Here's what we found.
13 of 14 tools have no descriptions. 28 string parameters have zero input constraints. Destructive tools (delete_file, write_file, move_file) are undocumented. If the official reference server scores F — what does yours score?
What's in the Report
A signed PDF, typically 8-12 pages. Suitable for your compliance package, CISO review, or customer due diligence request.
Executive Summary
Plain-English assessment of security posture and overall EU AI Act compliance status. Written for a CISO or CTO, not a developer.
Score Breakdown
MCP Security Hygiene score (0-100) across 5 categories: Documentation, Schema Rigor, Injection Safety, Scope Discipline, Metadata. Plus Agent Trust Score (0-100) across 4 buckets.
Detailed Findings — with Regulatory Mapping
Every finding maps to a specific EU AI Act article and NIST AI RMF function. Not just "this is a problem" — but "this violates Article 9(2)(a) because..."
Art. 9 Risk Management Art. 13 Transparency Art. 15 Cybersecurity Art. 17 Quality ManagementRemediation Roadmap
Findings prioritized into 4 buckets: Immediate (blocks deployment), Sprint 0 (before production), Next Sprint, Technical Debt. Each with estimated engineering effort.
Tool Inventory
Complete table of every tool exposed by the server: risk category, purpose alignment, matched risk patterns. Know exactly what surface area you're exposing.
Methodology
Audit methodology, tool versions, scope limitations. Suitable for inclusion in your AI system technical documentation (Article 11 requirement).
Pricing
Flat-rate per report. No retainer. No subscription.
- Full 6-section PDF report
- EU AI Act article mapping
- NIST AI RMF mapping
- Remediation roadmap
- Tool inventory table
- 3-day turnaround
- Everything in Single
- Cross-server risk comparison
- KYA identity card setup
- Ed25519 signing integration
- Compliance program gap analysis
- 5-day turnaround
- 30-day follow-up re-audit included
Who Orders These Reports
Enterprise Teams Deploying MCP
Your legal/compliance team will ask for AI system documentation before you ship. Have the answer ready, not a panicked scramble.
MCP Server Publishers
A passing audit report is a trust signal for your users. "Audited and certified" beats "trust me" in every enterprise procurement conversation.
AI Integration Vendors
Your customers are asking about EU AI Act compliance. Have a real audit report to share in due diligence — not a checkbox in a deck.
Credentialed
LuciferForge submitted a formal response to the NIST AI 100-1 (AI Risk Management Framework) public comment process. Our methodology is built on the NIST AI RMF 1.0 functions and cross-mapped to EU AI Act Articles 9, 11, 13, 15, and 17. Our open-source tools — mcp-security-audit and agentcred — are published on PyPI and actively maintained.
Know What Your Agent Is Exposing
EU AI Act enforcement is approaching. Your MCP servers are your AI attack surface.
Get the audit. Have the documentation. Ship with confidence.