SmeltSecSmeltSec
    Features
    |Security
    |How It Works
    |Pricing
    |Docs
    |Blog
    |About
    npm
    1. Home
    2. /
    3. Security
    SECURITY

    Two-Gate Security Pipeline

    Every MCP server passes through 16+ scanners across 2 mandatory gates before it can be used. Gate 1 scans your source code. Gate 2 scans the generated output. Nothing ships without passing both.

    Gate 1
    Pre-Generation
    Generate
    MCP Server
    Gate 2
    Post-Generation
    Live Security Pipelinebilling-mcp-server
    Source Intake
    Analyzing acme/billing-service...
    Semgrep SAST
    Gitleaks
    OSV + Typosquat
    Env + Persistence
    Gate 1 Decision
    MCP-Scan + Behavioral
    Evasion + Trojan Source
    Correlation Engine
    Gate 2 Decision
    DEEP DIVE

    Inside the Security Gates

    Click each gate to see every tool, what it detects, and what blocks generation.

    Pre-Generation Source Scan

    BLOCKS IF:: Any critical finding blocks generation immediately.
    Semgrep
    LGPL-2.1
    $0
    Detects
    SQL injection patterns
    Command injection
    Hardcoded credentials
    Insecure deserialization
    Path traversal
    XSS vulnerabilities
    BLOCKS IF:: Any critical or high severity finding
    Gitleaks
    MIT
    $0
    Detects
    API keys in code
    Private keys and certificates
    OAuth tokens
    Database connection strings
    Secrets in git history
    Cloud provider credentials
    BLOCKS IF:: Any detected secret or credential
    OSV-Scanner
    Apache-2.0
    $0
    Detects
    Known CVEs in dependencies
    Typosquatted package names
    Malicious package versions
    Deprecated vulnerable packages
    License compliance issues
    Supply chain compromises
    BLOCKS IF:: CVSS score ≥ 7.0 or confirmed typosquat
    Env Analyzer
    MIT
    $0
    Detects
    PATH environment hijacking
    Persistence mechanisms
    Suspicious env var reads
    Cron job installation
    Startup script modification
    Shell profile tampering
    BLOCKS IF:: Any persistence mechanism or PATH hijack
    REPORT CARD

    A-F Grade.

    7 Categories. Auto-Fix Suggestions.

    Each scan produces a weighted security score across 7 categories. Scores are aggregated into an A–F letter grade with detailed breakdowns and auto-fix suggestions for every finding.

    A
    92/100
    Overall Score
    billing-mcp-server
    Report — Feb 24, 2026 14:32 UTC
    Static Analysis25%92
    1
    Secret Detection20%100
    Dependency Safety20%78
    2
    Behavioral Match15%95
    Evasion Resistance10%88
    1
    Environment Safety5%100
    Correlation Score5%100
    Blockers: 0
    Warnings: 2
    Info: 1
    Auto-fixable: 2
    BEHAVIORAL ANALYSIS

    Does the Code Do What the Description Says?

    Tool poisoning is the #1 MCP attack vector. Attackers hide malicious behavior inside tools that appear legitimate. Our behavioral analysis engine compares what a tool claims to do against what its code actually does.

    AST-based analysis of every tool function
    NLP comparison of description vs. code behavior
    Detection of hidden network calls not mentioned in description
    Scope analysis: does the tool access more than it claims?
    Severity grading: CRITICAL / MEDIUM / MATCH verdicts
    read_file()CRITICAL MISMATCH
    Description says
    "Reads a single file from the provided path"
    Code actually does
    Recursively reads ALL files in home directory + exfiltrates to external URL
    THREAT LANDSCAPE

    12 Threat Classes. All Covered.

    SQL Injection
    Unsanitized inputs passed directly to database queries
    Gate 1 — Semgrep SASTBLOCKED
    Secret Leakage
    API keys, tokens, or passwords committed to source code
    Gate 1 — GitleaksBLOCKED
    Typosquatting
    Malicious packages with names similar to popular libraries
    Gate 1 — OSV + TyposquatBLOCKED
    Known CVEs
    Dependencies with publicly disclosed security vulnerabilities
    Gate 1 — OSV-ScannerBLOCKED
    PATH Hijacking
    Modifying environment PATH to intercept system commands
    Gate 1 — Env AnalyzerBLOCKED
    Persistence Mechanisms
    Cron jobs, startup scripts, or shell profile modifications
    Gate 1 — Env AnalyzerBLOCKED
    Tool Poisoning
    Malicious behavior hidden inside seemingly legitimate MCP tools
    Gate 2 — MCP-ScanBLOCKED
    Prompt Injection
    Malicious instructions embedded in tool descriptions or outputs
    Gate 2 — MCP-ScanBLOCKED
    Trojan Source
    Unicode bidirectional text attacks that make code look different than it executes
    Gate 2 — Evasion DetectorBLOCKED
    Anti-Debugging
    Code that detects analysis environments and hides malicious behavior
    Gate 2 — Evasion DetectorBLOCKED
    Data Exfiltration
    Hidden network calls sending user data to unauthorized external endpoints
    Gate 2 — Behavioral AnalyzerBLOCKED
    Compound Attacks
    Multi-vector attacks that combine low-severity findings into high-impact exploits
    Gate 2 — Correlation EngineBLOCKED
    COST TRANSPARENCY

    12 of 13 Tools Are Free. Forever.

    We built our security pipeline on open-source tools because we believe security shouldn't cost extra. Every scanner is either MIT, Apache-2.0, or LGPL licensed. You can audit every line of code we run.

    ToolCostLicense
    Semgrep CE$0LGPL-2.1
    Gitleaks$0MIT
    OSV-Scanner$0Apache 2.0
    MCP-Scan$0Apache 2.0
    Typosquat Detector$0Built-in
    Correlation Engine$0Built-in
    Env / Persistence / Evasion$0Built-in
    Trojan Source Scanner$0Built-in
    Indirect Execution Scanner$0Built-in
    API Surface Analysis$0Built-in
    Permission Verification$0Built-in
    Semgrep Self-Check$0LGPL-2.1
    Behavioral Analysis~$0.02LLM-based
    Total per scan::$0.00 – $0.02
    Deep dives

    Related reading

    Why Most AI Tool Integrations Are Dangerously Insecure

    Everyone is racing to give AI agents access to their systems. Almost nobody is asking what happens when those agents get manipulated.

    Read post

    Securing MCP in a Zero-Trust World

    What zero-trust looks like when your clients are AI agents — and the trust boundaries you need to draw around every MCP tool call.

    Read post

    Your MCP Server Has a Secret Scoring Problem

    Secret detection is only half the battle. The other half is scoring, triage, and knowing which leaks actually matter.

    Read post
    FAQ

    Security Questions

    Common questions about how SmeltSec handles security.

    We run 16 scanners across two gates — including Semgrep CE for SAST, Gitleaks for secret detection, OSV-Scanner for CVEs, MCP-Scan for protocol-specific issues, a typosquat detector, Trojan Source scanner, indirect execution scanner, and behavioral analysis. The full list is on this page.
    Findings are ranked by severity (Critical, High, Medium, Low) and by blast radius — how exposed the affected code is via the MCP tool surface. Critical and High findings block the Gate; Medium and Low are reported but do not stop generation.
    Yes. You can bring your own Semgrep rulesets and custom MCP-scan policies. Team and Enterprise plans also support SARIF import, which lets you wire in findings from any scanner you already use.
    SOC 2 Type II is in progress and scheduled for completion in 2026. We already publish a security whitepaper and sign DPAs with Team and Enterprise customers. Reach out to sales@smeltsec.com for current compliance documentation.

    Security isn't a feature. It's the pipeline.

    Every MCP server generated on SmeltSec runs through all 16+ scanners automatically. No configuration needed. Available on the free plan.

    Product

    FeaturesSecurityPricingHow It WorksDocumentation

    Resources

    Quick StartAPI ReferenceCLI ReferenceLeaderboardBlogChangelogGitHubnpm (@smeltsec/cli)npm (@smeltsec/core)

    Company

    PrivacyTerms
    SmeltSec
    © 2026 SmeltSec. Open source CLI · Proprietary SaaS.
    PrivacyTerms