SmeltSec is a security and quality platform for Model Context Protocol (MCP) servers. We generate MCP servers from existing code, scan them with 16 security tools across 2 gates, monitor upstream dependencies, and sync configs to every major AI client.

Is SmeltSec open source?

Our CLI is open source. The SaaS backend (analytics, monitoring, managed scanning) is proprietary. 7 of the 8 security scanners we bundle are free and open source (Semgrep CE, Gitleaks, OSV-Scanner, MCP-Scan, and more).

How does SmeltSec compare to rolling my own security pipeline?

Rolling your own Semgrep + Gitleaks + OSV-Scanner + MCP-Scan integration typically takes 2-3 engineer-months. SmeltSec gives you the same 16 scanners plus quality scoring, monitoring, and multi-client config sync in under 60 seconds.

What AI clients does SmeltSec support?

Claude Desktop, Cursor, ChatGPT Desktop, Windsurf, and VS Code. Config sync daemon runs locally and writes to each client's native config format.

Is my code sent to SmeltSec servers?

You control that. The CLI can run Gate 1 entirely locally. The managed scanning service (Gate 2) runs in our infrastructure — see our security docs for SOC 2 controls and data retention policy.

MCP SERVER PLATFORM

Generate.. Secure.. Maintain..

From prompt to production in under 60 seconds. SmeltSec generates servers, scans them with 16 security scanners across 2 gates, monitors upstream changes, and syncs configs to every major AI client.

$ npx smeltsec scan ./my-serverlive on npm →

LIVE

›scoring XiaoYouChR/Ghost-Downloader-3›scoring argilla-io/argilla›scoring navdeep-G/samplemod›scoring standard/standard›scoring h2oai/h2o-llmstudio›scoring react-boilerplate/react-boilerplate›scoring macanv/BERT-BiLSTM-CRF-NER›scoring statelyai/xstate›scoring microsoft/muzic›scoring elsewhencode/project-guidelines›scoring quantumlib/Cirq›scoring Bitwise-01/Instagram-›scoring bigint/hey›scoring feder-cr/Jobs_Applier_AI_Agent_AIHawk›scoring googlemaps/google-maps-services-python›scoring vuejs/vue-cli›scoring tencentmusic/cube-studio›scoring qubvel/segmentation_models›scoring helm/helm›scoring pyinfra-dev/pyinfra›scoring corna/me_cleaner›scoring aosabook/500lines›scoring google/google-ctf›scoring roboflow/sports›scoring gd3kr/BlenderGPT›scoring CopilotKit/CopilotKit›scoring khast3x/h8mail›scoring minimaxir/textgenrnn›scoring hashicorp/consul›scoring wireviz/WireViz›scoring XiaoYouChR/Ghost-Downloader-3›scoring argilla-io/argilla›scoring navdeep-G/samplemod›scoring standard/standard›scoring h2oai/h2o-llmstudio›scoring react-boilerplate/react-boilerplate›scoring macanv/BERT-BiLSTM-CRF-NER›scoring statelyai/xstate›scoring microsoft/muzic›scoring elsewhencode/project-guidelines›scoring quantumlib/Cirq›scoring Bitwise-01/Instagram-›scoring bigint/hey›scoring feder-cr/Jobs_Applier_AI_Agent_AIHawk›scoring googlemaps/google-maps-services-python›scoring vuejs/vue-cli›scoring tencentmusic/cube-studio›scoring qubvel/segmentation_models›scoring helm/helm›scoring pyinfra-dev/pyinfra›scoring corna/me_cleaner›scoring aosabook/500lines›scoring google/google-ctf›scoring roboflow/sports›scoring gd3kr/BlenderGPT›scoring CopilotKit/CopilotKit›scoring khast3x/h8mail›scoring minimaxir/textgenrnn›scoring hashicorp/consul›scoring wireviz/WireViz

Join developers building MCP servers the right way

TRUST REGISTRY

500 open-source repos scored

Independent security and quality scores across the most-starred public MCP-relevant repos. Updated daily.

500

Repos scored

Avg security

Avg quality

100

Top score

THE THREAT LANDSCAPE

MCP is shipping faster than its security.

We ran a 16-scanner pipeline across the most-starred public MCP-relevant repos — covering SAST, secret leakage, dependency CVEs, MCP tool poisoning, prompt injection, and supply-chain attacks. Two-thirds shipped with at least one B-grade or worse finding. The MCP ecosystem is growing faster than the tooling that should protect it. SmeltSec is the security layer underneath every server we generate, monitor, and score.

Pipeline · 16 scanners

Semgrep CEGitleaksOSV-ScannerMCP-ScanTool poisoningPrompt injectionTrojan sourceSupply chain

HOW IT WORKS

Three Steps to Production

Describe Your API

Use natural language, import a GitHub repo, or paste an OpenAPI spec. 60 seconds to production-ready code.

Generate & Scan

16 security scanners run in 2 gates — pre-generation and post-generation. Critical findings block delivery.

Deploy & Monitor

Link a GitHub repo for automatic change detection. Track usage analytics. Sync configs to every major AI client.

CAPABILITIES

Built for Every Workflow

Chat Interface

Describe in natural language what your MCP server should do. Get production-ready code generated in under 60 seconds.

Natural language input
Iterative refinement
Preview before deploy
Template library

GitHub Integration

Import any GitHub repo. SmeltSec analyzes your codebase with Tree-sitter, detects changes via webhooks, and proposes surgical updates.

Repo import & analysis
Webhook change detection
Impact classification
Auto-PR proposals

SECURITY

8-Tool Security Pipeline

Every server gets scanned twice — Gate 1 before generation (SAST, secrets, CVEs, API surface) and Gate 2 after (tool poisoning, behavioral analysis, permission escalation). Critical findings block delivery.

SAST Analysis

Static code analysis for vulnerabilities and anti-patterns

Secret Detection

Scan for leaked API keys, tokens, and credentials

CVE & Dependency

Check dependencies against known vulnerability databases

Tool Poisoning

Detect behavioral mismatches and permission escalation

16 security scanners — most free forever

QUALITY

6-Dimension Quality Scoring

Score any MCP server across 6 dimensions. Get auto-fix suggestions to improve LLM understanding. Gate deploys on minimum scores. 87% average improvement after applying fixes.

Tool Descriptions

25%

Input Schemas

20%

Error Handling

15%

Security Posture

20%

Behavioral Alignment

10%

Documentation

10%

ANALYTICS

Per-Tool Usage Visibility

Drop-in proxy intercepts MCP calls and reports per-tool analytics: calls, latency P50/P95/P99, errors, and client distribution. 12.8K calls tracked per day on average. Set alerts and export via API, webhooks, or OpenTelemetry.

4,953scans completed

Past 12 weeks

vs. hand-rolled

Why not just wire it up yourself?

Semgrep, Gitleaks, OSV-Scanner, and MCP-Scan are all open source. Integrating them yourself takes 2–3 engineer-months. SmeltSec gives you all sixteen scanners plus quality scoring, monitoring, and multi-client config sync in 60 seconds.

See the full comparison →

PRICING

Simple, Transparent Pricing

Start free with Gate 1 security. Upgrade for the full pipeline.

Free

Generate MCP servers

$0forever

5 CLI generations/month

Gate 1 security scanning

3 quality scores

2-client config sync

POPULAR

TypeScript

Next.js

Prisma

PostgreSQL

Redis

Docker

Tree-sitter

OpenTelemetry

Ready to Build?

Start generating secure MCP servers in under 60 seconds. Security scanning included on every plan.