# compuute-scan-api

> MCP-specific static security scanner for AI agents. Scan any public GitHub MCP-server repo and get severity counts, score, top findings, and a triage disclaimer before your agent installs or connects to an unknown server.

## When to use

- Before installing or connecting an agent to an MCP server you do not own
- Before recommending an MCP server to a user
- As part of supply-chain due diligence on agent tooling
- For procurement/compliance evidence on third-party MCP code

## What it covers

- 37 L1 rules across TypeScript/JavaScript, Python, Go, Rust, C#, Java, Kotlin
- Argument-injection, command-injection, SSRF, supply-chain, secrets leakage, tool-description-poisoning, prompt-injection-resistance signals
- Threat-intel response cadence: new rules added within one week of published CVE classes (see L1-038 for the Ox Security npx-argument-injection vector, added 7 days after Ox publication)

## How to call it

### Free tier (no auth, rate-limited)

```
POST https://scan.compuute.se/v1/scan
Content-Type: application/json
{"repo_url": "https://github.com/<org>/<repo>"}
```

### Paid tier (x402, USDC on Base L2)

```
POST https://scan.compuute.se/v1/scan/pay
X-Payment: <signed x402 payment payload>
Content-Type: application/json
{"repo_url": "https://github.com/<org>/<repo>"}
```

Price: $0.10 USDC per scan. 402 challenge returned if header missing.

### MCP tool

Connect via Model Context Protocol streamable-HTTP at `https://scan.compuute.se/mcp/`. Exposes the tool `scan_mcp_server(github_url)`.

## Honest framing — read this

compuute-scan is a pattern-breadth detector, not an exploitability oracle. Historic raw false-positive rate is ~90% before manual triage (anchored on modelcontextprotocol/servers: 138 raw -> 13 confirmed). Every response carries a `_disclaimer` field stating this. Use findings as a triage queue, not as a list of confirmed vulnerabilities. Per-rule FP rates: https://github.com/Compuute/compuute-scan-api/blob/main/docs/FP-RATES.md

## Provider

- Organization: Compuute AB (Stockholm, Sweden)
- Contact: daniel@compuute.se
- Source: https://github.com/Compuute/compuute-scan-api (MIT)
- Scanner source: https://github.com/Compuute/compuute-scan (MIT)
- Methodology: https://github.com/Compuute/compuute-scan-api/blob/main/docs/whitepaper/
- SOC 2 readiness statement: https://github.com/Compuute/compuute-scan-api/blob/main/docs/compliance/soc2-readiness.md

## Machine-readable

- OpenAPI: https://scan.compuute.se/openapi.json
- A2A Agent Card: https://scan.compuute.se/.well-known/agent.json
- x402 manifest: https://scan.compuute.se/.well-known/x402.json
- ChatGPT plugin manifest: https://scan.compuute.se/.well-known/ai-plugin.json
- MCP endpoint: https://scan.compuute.se/mcp/