frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

Show HN: I ran 70 MCP servers in a sandbox and logged what they do

https://github.com/BhaveshThapar/mcp-audit
2•bthapar•1h ago

Comments

bthapar•1h ago
I built this because the MCP registry verifies who published a server (namespace auth tied to a GitHub account/domain), but nothing verifies what a server does once you run it. The trust tooling I could find is almost all static analysis, scanning source and metadata. That misses the stuff that only shows up at runtime: a server that connects somewhere unrelated to its job, reads files outside its lane, or changes behavior in a later version after you've already trusted it (the rug-pull case). So I ran each server in a throwaway Linux container under strace, logging every file open and network connection, with a fake credential seeded in the environment as a canary. Ran it across 70 servers, the 20 most-downloaded on npm plus 50 from the long tail. 67 were clean at startup. 3 make outbound HTTPS calls at boot, before any tool is invoked, all to hosts consistent with what they're for (an exchange integration, a GitHub fetch, some CDN/cloud endpoints), and none read sensitive files or touch the canary. 1 (bullmq-mcp) reads /etc/passwd at startup, which looked alarming until the trace showed it's a standard glibc user lookup (nsswitch.conf then passwd, classic getpwuid), and a follow-up run confirmed the contents never leave the process. Benign. Honest scope: this only captures startup + idle behavior right now, not individual tool calls, which is where more of the interesting behavior lives. Tool-call tracing and cross-version diffing (to catch rug pulls) are what I'm building next. Repo has the harness, per-server manifests, and the full writeup. I'd genuinely like feedback on two things: whether the runtime-behavior angle is worth pursuing over just static scanning, and whether anyone would actually want this as a feed their MCP client checks before install.

Rough and Ready, California

https://en.wikipedia.org/wiki/Rough_and_Ready,_California
1•ttd•6m ago•0 comments

Have you heard? ClickHouse is winning the observability wars

https://charity.wtf/p/have-you-heard-clickhouse-is-winning
1•backlit4034•9m ago•0 comments

Joe Rogan Experience #2524 – Rupert Lowe [video]

https://www.youtube.com/watch?v=k29cMrVtVXY
3•Bender•10m ago•0 comments

Show HN: Calculator.Free - 200+ Free Calculators

https://calculator.free/
1•nadermx•12m ago•0 comments

Simple Made Easy – Rich Hickey (2011) [video]

https://www.youtube.com/watch?v=SxdOUGdseq4
1•taurath•15m ago•0 comments

Show HN: Skillburst - AI skills for your whole team, not just the engineers

https://skillburst.ai/
1•htahir111•18m ago•0 comments

Microsoft Publisher will no longer be supported after October 2026

https://support.microsoft.com/en-us/publisher/microsoft-publisher-will-no-longer-be-supported-aft...
3•MrVandemar•23m ago•2 comments

The Unbearable Anxiety of Being Just an Ordinary Human

https://www.freepressjournal.in/analysis/the-unbearable-anxiety-of-being-just-an-ordinary-human
2•thunderbong•23m ago•0 comments

Show HN: Amotions app in Zoom: real-time guidance for sales calls

https://amotionsinc.com/blogs/how-to-use-amotions-ai-zoom-app
1•xupianpian1•25m ago•0 comments

Ask HN: HN frontpage feels boring now?

2•xeonmc•25m ago•1 comments

How to build a cancer vaccine, and whether they will work this time

https://www.owlposting.com/p/how-to-build-a-cancer-vaccine-and
1•gone35•27m ago•0 comments

US seeks cheaper hunter-killer drones after Iran destroys $1B worth of Reapers

https://arstechnica.com/gadgets/2026/07/us-seeks-cheaper-hunter-killer-drones-after-iran-destroys...
2•jnord•27m ago•1 comments

John Deere owners will get the right to repair equipment under FTC settlement

https://apnews.com/article/john-deere-right-to-repair-agriculture-equipment-cb7514ffedb95c130a976...
24•djoldman•29m ago•2 comments

M64 Controller Review: The N64 Remote Perfected

https://retrododo.com/m64-controller-review-the-n64-remote-perfected/
1•bpierre•29m ago•0 comments

Hijacking Defensive Cyber AI Agents for Remote Code Execution

https://ainowinstitute.org/publications/friendly-fire-exploit-brief
1•Cynddl•31m ago•0 comments

The AI Bubble We need to talk

https://www.youtube.com/watch?v=2J2Fb1bBufA
2•cable2600•32m ago•0 comments

US rare earths flow to Asia as domestic demand is slow to emerge

https://arstechnica.com/science/2026/07/us-rare-earths-flow-to-asia-as-domestic-demand-is-slow-to...
1•jnord•32m ago•0 comments

Ask HN: What do you think of xsight labs?

1•m101•36m ago•0 comments

Telling Stories with Data (2023)

https://tellingstorieswithdata.com
1•matt_daemon•38m ago•0 comments

We made Grok 4.5, GPT-5.5, and Claude build the same apps

https://www.tryai.dev/blog/grok-4.5-vs-gpt-5.5-vs-claude-build-off
2•hershyb_•39m ago•0 comments

BassBet – Live Games, Fast Payouts and Big Wins Online

https://bassbet-login.com/en/
1•kalwrepo•44m ago•0 comments

Xsight labs - anyone talking about these guys?

https://xsightlabs.com/
2•m101•45m ago•1 comments

You may not need 8 hours of sleep

https://www.nytimes.com/2026/07/05/opinion/sleep-health-8-hours.html
2•dr_•47m ago•0 comments

Ghislaine Maxwell's Dad Sold Bugged Israeli Software to Two Nuclear Weapons Labs

https://alisav.substack.com/p/ghislaine-maxwells-father-sold-bugged
8•newspaper1•48m ago•0 comments

Suspecting AI cheating, Ivy League prof ordered in-person final; scores fell 50%

https://arstechnica.com/ai/2026/07/we-cannot-choose-to-become-idiots-the-ai-cheating-scandal-roil...
40•furcyd•55m ago•18 comments

Show HN: Schema_ferry – Continuous schema migration from MySQL to PostgreSQL

https://github.com/kyuuri1791/schema_ferry
1•kyuuri1791•56m ago•0 comments

Observations of a Journal Editor

https://uq.pressbooks.pub/editorobservations/
1•MrVandemar•57m ago•0 comments

Meta datacenter contractor flushed contaminated water

https://www.theguardian.com/us-news/2026/jul/08/meta-datacenter-ai-wyoming-water
5•doener•1h ago•2 comments

Visualizing Buns new Rust Files against the rest of the JavaScript / cpp

https://old.reddit.com/r/bun/comments/1ur8ka2/visualizing_the_rust_portion_of_bun_against/
1•fernando-ram•1h ago•0 comments

The family of a man shot by the Tennessee National Guard demands video release

https://apnews.com/article/memphis-national-guard-shooting-tyrin-johnson-6a1ea3e51176d8ddf6519f90...
18•petethomas•1h ago•0 comments