Publisher checklist

Security Checklist

This is the shortest path to a better public score: tighten what you expose, document what you require, and remove surprises.

Publisher workflow Read methodology

Start here

Most score improvements come from four habits: declare accurately, reduce power, tighten network behavior, and keep your publisher materials current.

1
Run a free scan
See the current public score, findings summary, and coverage level.
2
Fix high-signal gaps
Start with auth, transport, permissions, and undeclared network activity.
3
Document what is true
Good documentation will not save a weak system, but missing documentation will hurt a strong one.
4
Use deeper review only when needed
Assisted Review and certification are there for harder environments and higher buyer expectations.

What to improve by category

The category weights below match the public methodology exactly.

10 points

Identity & Auth

  • Use a clear auth method and document it.
  • Do not expose credentials in tool inputs, logs, or errors.
  • Make login and token scope understandable to buyers.
8 points

Permission Scope

  • Split read and write actions when possible.
  • Avoid broad catch-all actions.
  • Expose the least power needed for the workflow.
8 points

Transport Security

  • Serve remote endpoints over HTTPS.
  • Use valid certificates and modern TLS.
  • Keep cross-origin access narrow when possible.
10 points

Network Behavior

  • Minimize outbound domains.
  • Document the domains your server contacts.
  • Remove unnecessary telemetry and background calls.
8 points

Protocol Compliance

  • Stay current with MCP expectations.
  • Return predictable, well-formed responses.
  • Keep capabilities and protocol metadata accurate.
8 points

Declaration Accuracy

  • Declare every tool and resource honestly.
  • Use precise descriptions, not vague marketing copy.
  • Keep schemas and required parameters complete.
10 points

Tool Integrity

  • Remove hidden prompts and risky side behavior.
  • Keep tool names and behaviors stable.
  • Do not let one tool silently do the work of several.
8 points

Input Validation

  • Constrain file paths, URLs, and shell-like parameters.
  • Validate types and formats before execution.
  • Reject obviously dangerous or malformed input early.
8 points

Supply Chain

  • Keep dependencies current.
  • Use reputable package sources.
  • Remove unused dependencies and stale packages.
6 points

Code Transparency

  • Publish source or provide enough evidence for buyers to evaluate posture.
  • Keep the repo readable and maintained.
  • Include a license and basic documentation.
8 points

Publisher Trust

  • Keep publisher identity current.
  • Respond to security questions and findings.
  • Use the same ownership signals across docs, packages, and server listings.
8 points

Data Protection

  • Do not expose secrets or sensitive user data in responses.
  • Minimize retention and logging.
  • Be clear about what the server reads, stores, and sends onward.
Coverage matters

A better score is not the whole story

Buyers also look at scan coverage, confidence, stale review age, linked advisories, and changes since the last scan. Keep those signals healthy too.

Next step

Run the free scan first

The public scan tells you where to start. Use Assisted Review only when auth, staging, or custom setup makes the free scan incomplete.

Run free scan Assisted Review