Frequently asked questions
Everything about auditing MCP servers with MCProbe.
- What is MCProbe?
- MCProbe audits MCP (Model Context Protocol) servers — the servers that give AI agents access to tools. It checks whether a server is actually good enough for an agent to use: it lints every tool's schema, behaviorally tests the tools with broken inputs and returns a 0–100 conformance score with an A–F grade and a list of fixes.
- What can I audit here?
- Both kinds of MCP server. Remote servers with a URL (GitHub, Linear, Stripe, docs.base.org/mcp, anything you've deployed) audit right here — paste the HTTPS URL and hit Audit, nothing changes on the server's side. Local stdio servers (the `npx some-server` style, no URL) audit too, via the open-source CLI with a Pro API key — see the next question.
- Can I audit a local (stdio) server?
- Yes — and it's a Pro feature. A local stdio server has no URL and runs on your machine, so a website can't reach it (and shouldn't run a stranger's process on our servers). Instead, the audit runs on your machine via the open-source CLI and uploads the result to your account with your personal API key:
npx mcprobe push --stdio "npx your-server" --fuzz --token <key>
You create the key on your profile after going Pro, which also has the exact steps. Uploaded audits are private by default; flip one to public to share it. - How does the score work?
- Four dimensions, each out of 10, averaged into a 0–100 overall with an A–F grade: Metadata & Documentation, Schema Quality, Error Handling and Liveness. The two behavioral dimensions are only measured when you enable fuzzing; a static audit is scored on the first two.
- What's the difference between a static audit and fuzzing?
- A static audit is read-only — it inspects the schemas and never calls the server's tools, so it's safe on any server. Fuzzing actually calls each tool with malformed inputs to see how it responds (graceful error, silent accept or crash). It's an opt-in toggle and tools marked destructive are skipped for safety.
- Is it safe to audit a server I don't own?
- A static audit makes no tool calls at all. Even with fuzzing on, MCProbe skips any tool the server marks as destructive by default, so a normal audit won't trigger a harmful action. You can opt into fuzzing destructive tools only when you know it's safe.
- What do I get for free?
- 2 audits a day, each with a soft report: the score, grade, coverage, the critical-issues flag, the four dimension scores and finding counts. Enough to see how a server is doing.
- What does the $9.90 unlock?
- A one-time $9.90 is lifetime access: 30 audits a day, the full report (per-dimension reasons, every finding with the exact tool/parameter, the fuzz table and the prioritized fixes), local (stdio) server audits via the CLI + your API key, browsing the public gallery, saved audit history, Markdown export and shareable report links.
- How do I pay?
- Card (via Stripe) or crypto — USDC on Base, USDT on BNB or USDC on Solana. It's a single one-time payment, not a subscription.
- Are my audits public?
- Audits you run here are public in the gallery by default — you can flip any of them to private. Audits uploaded from the CLI start private and you choose whether to publish them. Browsing the gallery itself is a Pro feature.
- Is MCProbe open source?
- The audit engine is open source — github.com/alitiknazoglu/mcprobe. It also runs as an MCP server and a command-line tool. This site is the hosted version with accounts, the gallery and 30 audits a day.