Pre-install MCP check · free · no key
Malicious and broken MCP servers are now a real, documented problem — a fake postmark-mcp package silently BCC'd every email it sent (~300 orgs), and mcp-remote (CVE-2025-6514) shipped an RCE to ~500k users. SaSame continuously observes 14,591 public MCP servers from the outside and tells you, honestly, what an external check can and cannot see — before you wire one into your agent.
A server can pass every check here and still be malicious. Always review the source before installing.
Call our free, no-key public MCP and pass the server's URL:
// MCP endpoint: https://live-vps.sasame.online/public-mcp
audit_mcp({ "url": "https://the-server-you-want-to-check/mcp" })
// → live grade + per-criterion result + a signed (ed25519) observationOr grade any server straight from your terminal — no install, the CLI is live on npm:
npx mcp-readiness https://the-server-you-want-to-check/mcp
(mcp-readiness is SaSame's open-source CLI — the same 10 checks, runs locally, zero dependencies. npmjs.com/package/mcp-readiness.)
419 A · 2,136 B · 14,591 observed total. Full machine-readable list: checked.json.
If your server scored A or B, embed its live badge (it tracks your current grade) so other developers can see it passed the pre-install check — free, unlike paid trust-badge services:
[](https://live-vps.sasame.online/observatory/check/<your-slug>.html)
SaSame MCP Observatory — an independent, external observer of public MCP servers. Observations are made from outside via the public MCP handshake; unclaimed servers have not confirmed their listing, and a passing check is not an endorsement. This is a protocol/liveness/hygiene check, not a malware or supply-chain audit. About the standard · Public MCP (no key)