Is Scrapegraph MCP server safe?
scrapegraph-mcp is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 3 risky constructs are reported for review. It can: mcp tools detected and network egress — capabilities are what the code can do, not a verdict on intent. Risk score 10/100 (low).
scrapegraph-mcp 3.0.0
- Python network egress
- Server bound to all network interfaces
- MCP tool surface detected
No malicious indicators found by static analysis.
Findings (3)
A server is bound to all network interfaces (0.0.0.0), not just your own machine.
host = os.getenv("HOST", "0.0.0.0")Why it matters: Without authentication, other hosts on the network can reach it.
Fix: Bind to 127.0.0.1 for local-only use, or require authentication and restrict access if remote exposure is intended.
The component makes outbound network requests.
import httpx
self.client = httpx.Client(timeout=httpx.Timeout(_api_timeout_s()))
Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.
Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.
An MCP tool surface (manifest or tool definitions) was found.
mcp = FastMCP("ScapeGraph API MCP Server")@mcp.tool()
@mcp.tool()
@mcp.tool()
@mcp.tool()
@mcp.tool()
- MCP tool definitions (`@mcp.tool()` decorators)
- Created with `FastMCP("ScapeGraph API MCP Server")`- Exposes tools via `@mcp.tool()` decorators
5. Define MCP tools with `@mcp.tool()` decorators
- `@mcp.tool()` decorators expose functions as MCP tools
The server exposes many `@mcp.tool()` handlers (see repository `README.md` for the full table). The detailed subsections below still use **v1-style endpoint names** in several places; treat them as illustrative and prefer the v2 mapping in …
@mcp.tool()
mcp = FastMCP("ScapeGraph API MCP Server")@mcp.tool(annotations={"readOnlyHint": True, "destructiveHint": False, "idempotentHint": True})@mcp.tool(annotations={"readOnlyHint": True, "destructiveHint": False, "idempotentHint": False})@mcp.tool(annotations={"readOnlyHint": False, "destructiveHint": False, "idempotentHint": False})@mcp.tool(annotations={"readOnlyHint": True, "destructiveHint": False, "idempotentHint": True})@mcp.tool(annotations={"readOnlyHint": False, "destructiveHint": False, "idempotentHint": False})@mcp.tool(annotations={"readOnlyHint": False, "destructiveHint": False, "idempotentHint": False})@mcp.tool(annotations={"readOnlyHint": True, "destructiveHint": False, "idempotentHint": True})@mcp.tool(annotations={"readOnlyHint": True, "destructiveHint": False, "idempotentHint": False})Why it matters: Just context — review which tools it offers and their permissions.
Fix: Review the declared MCP tools and their permissions.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →