Proposal: show an MCPWatch security grade on each server listing
Context. MCPWatch (https://mcpwatch.pages.dev, https://github.com/lazymac2x/mcpwatch) is a new open-source MCP server security scanner. It runs the 10 OWASP MCP Top 10 checks on any public MCP repo and produces an A–F letter grade. There is:
- A CLI:
npx mcpwatch-scanner /path/to/mcp
- A scheduled crawler that grades popular public MCPs daily
- A public live leaderboard
- A free SVG badge endpoint:
https://api.lazy-mac.com/mcpwatch/badge/{owner}/{repo}.svg
- A JSON scan-detail endpoint:
https://api.lazy-mac.com/mcpwatch/scan/{owner}/{repo}
- A free GitHub Action:
lazymac2x/mcpwatch-action@v1
Proposal. Smithery already lists hundreds of MCP server cards. Surfacing a safety signal next to each card would materially help users judge whether a server is safe to install before they click npx. Concretely, one of two non-invasive options:
Option A — Badge image. Render a small MCPWatch grade badge on each server card by embedding the SVG from the free endpoint. Zero runtime cost, cacheable, falls back silently if the scanner hasn't seen that repo yet.
<img src="https://api.lazy-mac.com/mcpwatch/badge/{owner}/{repo}.svg"
alt="MCPWatch security grade" />Option B — Link only. Add a Security audit ↗ link on each server detail page pointing to https://api.lazy-mac.com/mcpwatch/scan/{owner}/{repo} so users can opt in manually.
I'm happy to open a PR implementing Option A (rough scope: pick where to render + add one fetch + handle the 404 / ? grade case). Would a PR like that be welcome, or does the team prefer a different shape?
Disclosure. I maintain MCPWatch. The scanner and the badge endpoint are MIT / free — there is no tracking and no API key requirement. The project has a $49 Pro Report as an upsell, but the Smithery integration path is free-only forever.
Thanks for maintaining Smithery.
Proposal: show an MCPWatch security grade on each server listing
Context. MCPWatch (https://mcpwatch.pages.dev, https://github.com/lazymac2x/mcpwatch) is a new open-source MCP server security scanner. It runs the 10 OWASP MCP Top 10 checks on any public MCP repo and produces an A–F letter grade. There is:
npx mcpwatch-scanner /path/to/mcphttps://api.lazy-mac.com/mcpwatch/badge/{owner}/{repo}.svghttps://api.lazy-mac.com/mcpwatch/scan/{owner}/{repo}lazymac2x/mcpwatch-action@v1Proposal. Smithery already lists hundreds of MCP server cards. Surfacing a safety signal next to each card would materially help users judge whether a server is safe to install before they click
npx. Concretely, one of two non-invasive options:Option A — Badge image. Render a small MCPWatch grade badge on each server card by embedding the SVG from the free endpoint. Zero runtime cost, cacheable, falls back silently if the scanner hasn't seen that repo yet.
Option B — Link only. Add a
Security audit ↗link on each server detail page pointing tohttps://api.lazy-mac.com/mcpwatch/scan/{owner}/{repo}so users can opt in manually.I'm happy to open a PR implementing Option A (rough scope: pick where to render + add one fetch + handle the 404 /
?grade case). Would a PR like that be welcome, or does the team prefer a different shape?Disclosure. I maintain MCPWatch. The scanner and the badge endpoint are MIT / free — there is no tracking and no API key requirement. The project has a $49 Pro Report as an upsell, but the Smithery integration path is free-only forever.
Thanks for maintaining Smithery.