/ 100

1 day ago

glama

mcp-guardian

Security, cost, and health governance proxy for MCP infrastructure. Enforces YAML-configurable security policies (blocklists, rate limits, token budgets), tracks real token costs via tiktoken, monitors server health with live JSON-RPC probes. Features OAuth 2.1/OIDC with RBAC, web dashboard, payload normalization, semantic shell AST analysis, mTLS, and a formal STRIDE threat model.

→ rudraneel93/mcp-guardian · listed on glama

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

🚨

Code appears obfuscated

1 file are unreadable to a human reviewer. Cannot audit what they do.

🚨

Hardcoded credentials detected

5 live-looking API keys in source: 2 OpenAI API key, 2 OpenAI project key, 1 Google API key

🚨

Known vulnerabilities in dependencies: 1 critical, 12 high

Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.

🔐

You'll be asked for 5 credentials: AUTH_GITHUB_SECRET, AUTH_GOOGLE_SECRET, AUTH_SECRET, LEMONSQUEEZY_WEBHOOK_SECRET, LICENSE_JWT_SECRET

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

configAUTH_GITHUB_ID

🔐 secretAUTH_GITHUB_SECRET

configAUTH_GOOGLE_ID

🔐 secretAUTH_GOOGLE_SECRET

🔐 secretAUTH_SECRET

configAUTH_URL

configBENCH_CALLS_PER_REPLICA

configBENCH_ITERATIONS

configBENCH_P95_EPSILON_MS

configBENCH_P95_THRESHOLD_MS

configBENCH_PROXY_CONCURRENCY_TIERS

configBENCH_PROXY_REPLICAS

configBENCH_REPLICA_ID

configBENCH_STRICT

configBENCH_TOTAL_CALLS

configBENCH_WARMUP

configBENCH_WORKER_RESULT_FILE

configCONCURRENT_P95_SLO_MS

configCONCURRENT_P99_SLO_MS

configCONCURRENT_PROXY_P95_SLO_MS

configCONCURRENT_PROXY_P99_SLO_MS

configCONCURRENT_PROXY_TIMEOUT_MS

configCONCURRENT_TOOL_CALLS

configCORPUS_MIN_ATTACK_SAMPLES

configCORPUS_MIN_F1

configDATABASE_URL

configGUARDIAN_DISABLE_SEMANTIC

configGUARDIAN_PRO_CHECKOUT_URL

configGUARDIAN_SKIP_RESPONSE_SCAN

configHARNESS_FILTER_IDS

configHARNESS_PYTHON

configLEMONSQUEEZY_STORE_ID

🔐 secretLEMONSQUEEZY_WEBHOOK_SECRET

🔐 secretLICENSE_JWT_SECRET

configLOG_LEVEL

configNEXT_PUBLIC_APP_URL

configNEXT_PUBLIC_PRO_CHECKOUT_URL

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 5 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/rudraneel93-mcp-guardian-1inzcw)](https://m8ven.ai/mcp/rudraneel93-mcp-guardian-1inzcw)

commit: f2d7176f3046041100721f895c32c8dfd1711122

code hash: adf9c3d56ccf759659e1387cc52ac3e048db0171fc43dfac079e4e1f059f4a0a

verified: 6/2/2026, 11:39:19 AM

view raw JSON →