Runs Spectral-style metadata checks, security posture probes, and CORS abuse detection against any URL. Catches leaked backend subdomains (workers.dev, herokuapp.com, vercel.app, netlify.app) in your published agent-card.json and openapi.json — the exact class of bug we caught on our own production.
npx mrc-audit scan https://your-mcp.example.com
Runs the same 9 checks the CLI does. No signup. Rate-limited to 5 scans per hour per IP.
agent-card.json, openapi.json, or ai-plugin.json exposes *.workers.dev, *.herokuapp.com, *.vercel.app, or *.netlify.app — a real bug we caught on our own production.servers[0].url, api.url, url fields against public host allowlists. Spectral-style rules applied to MCP / OpenAPI / A2A spec documents.Origin: https://evil.example.com and checks if the server reflects it or returns ACAO: * with credentials — OWASP ZAP 40040 misconfiguration.X-Powered-By/version leaks in Server headers./.well-known/agent-card.json, /mcp, and /.well-known/ai-plugin.json are supposed to contain. Generic uptime monitors don't.Most MCP audit tools focus on tool-action MCPs (Slack, Jira). We focus on data-type MCPs — the ones that claim verified data — and we plug other scanners in.
| mrc-audit | Runlayer | ScanMCP | Datadog Synth. | |
|---|---|---|---|---|
| MCP protocol awareness | ✓ | ✓ | ✓ | — |
| Self-hosted (no gateway proxy) | ✓ | — | — | — |
| Spectral-style metadata rules | ✓ | — | partial | partial |
| Data observability (Monte Carlo 5 pillars) | ✓ | — | — | — |
| Compliance map (ASVS / SOC2 / ISO / OpenSSF) | ✓ | SOC2 | — | partial |
| Aggregates other scanners (OpenSSF, Cisco, Snyk) | ✓ | — | — | — |
| Free tier includes CLI | ✓ | — | — | — |
The public scan is always free. Sign up to unlock drift detection, SLA uptime, compliance PDF export, and BYO rules.
MRC Data is an MCP server for the Chinese apparel supply chain. We use mrc-audit every day to manage 3,000+ verified supplier records, 350+ lab-tested fabrics, and 170+ industrial clusters — 135 checks passing on every daily audit.