A few months ago, a friend's MCP server accidentally deleted his database. That stuck with me. We're building AI systems that can modify data and execute commands, but we don't have practical tools to validate they're safe.
So I built mcp-security (security documentation with real code examples) and started mcp-verify (an automated auditor).
What makes mcp-security different: - 12 actionable rules mapped to OWASP Top 10 - Real vulnerable and secure code implementations (Node.js) - Compliance mapping (SOC2, HIPAA, PCI DSS) - Bilingual (English + Spanish) - Free, MIT licensed
mcp-verify (still in development) will test MCP servers for security vulnerabilities, load capacity, and protocol compliance. But the interesting part: it's also an MCP server itself, so Claude can use it to audit other servers.
Happy to answer questions about MCP security or the roadmap!