# MCP Hub Security > Security scanner for Model Context Protocol (MCP) servers — scan before you connect. MCP Hub Security automatically scans MCP servers (Python, TypeScript, Go) for 14 classes of security vulnerabilities before developers connect them to AI assistants like Claude, Cursor, or GitHub Copilot. Submit a GitHub/GitLab/Bitbucket URL, get a free summary instantly, and unlock the full report with credits. ## Product - [Scanner](https://mcp-hub.info/): Submit any public MCP server repo URL to start a scan. Free summary, full report unlocked with 1 credit (5 credits). - [Pricing](https://mcp-hub.info/pricing/): Credit packs — Basic €10 (50 cr), Popular €50 (280 cr), Pro €99 (600 cr). - [About](https://mcp-hub.info/about/): How the scanner works, the MSSS scoring system, and the team behind it. - [Changelog](https://mcp-hub.info/changelog/): Release history and recent improvements. - [Contact](https://mcp-hub.info/contact/): Reach the team for enterprise plans or support. ## API - [API Reference](https://api.mcp-hub.info/api/v1/docs): REST API (OpenAPI/Swagger). Authenticate with API key header `X-API-Key`. - [Submit scan](https://api.mcp-hub.info/api/v1/docs#/Scans/submit): `POST /api/v1/scans/` — submit a repo URL and get a scan ID back. - [Poll status](https://api.mcp-hub.info/api/v1/docs#/Scans/status): `GET /api/v1/scans/{id}/status/` — returns `pending | running | completed | failed`. - [Get result](https://api.mcp-hub.info/api/v1/docs#/Scans/result): `GET /api/v1/scans/{id}/result/` — full JSON report (requires unlock credit). - Skill Scanner: POST /api/v1/skill-scan/ — scan Claude Code SKILL.md for security vulnerabilities ## Vulnerability Classes Detected MCP Hub Security detects 14 vulnerability classes (G001–G014): - **G001** Prompt Injection — malicious instructions embedded in tool descriptions or outputs - **G002** Tool Poisoning — tools that manipulate LLM behavior beyond their declared purpose - **G003** Capability Abuse — server claims permissions it does not legitimately need - **G004** Extended Prompt Injection — injection via file content, URLs, or external data sources - **G005** SSRF (Server-Side Request Forgery) — server-side requests to internal/arbitrary hosts - **G006** Command Injection — unsanitized user input passed to shell commands - **G007** Path Traversal — directory escape via `../` or similar in file operations - **G008** Secret Leakage — hardcoded API keys, tokens, or credentials in source code - **G009** Insecure Deserialization — unsafe use of `pickle`, `eval`, `exec`, or similar - **G010** Open Redirect — unvalidated URL redirects that can be abused for phishing - **G011** SQL Injection — unsanitized input in database queries - **G012** Dependency Confusion — package names susceptible to supply-chain substitution - **G013** Excessive Permissions — over-privileged filesystem, network, or process access - **G014** Data Exfiltration — mechanisms that silently send data to external endpoints ## Legal - [Terms of Service](https://mcp-hub.info/legal/terms/) - [Privacy Policy](https://mcp-hub.info/legal/privacy/) - [Security Policy](https://mcp-hub.info/legal/security/) ## Optional - [llms-full.txt](https://mcp-hub.info/llms-full.txt): Extended version of this file with scoring details, API structure, use cases, and FAQ. - [Sitemap](https://mcp-hub.info/sitemap.xml): Full site map for crawlers.