About · Dresden · est. 2025

The MCP ecosystem
needed a referee.

We built MCPAmpel because LLM agents now install whatever the model recommends, and the model recommends whatever has stars. That's not a security model. So we made the boring one — sixteen scanners, fixed weights, one light.

In one sentence

A trust-light for every MCP server you might install — published methodology, open scoring, German skepticism.

We believe MCP needs a TÜV,
not a leaderboard.

A leaderboard rewards popularity. A TÜV — Germany's vehicle inspection — rewards meeting the same boring criteria as everything else. We're firmly in camp two.

01/03

Open methodology, always

Every weight, every rule, every CVSS bucket is published in the public repo. If you can't reproduce a score on your own machine, it doesn't count as a verdict.

PUBLIC · MIT-LICENSED

02/03

Boring math beats clever models

Sixteen sub-scores, fixed weights, one published nonlinearity. No learned model, no per-server tuning. We trust auditable arithmetic over benchmark-tuned vibes.

NO ML · NO HEURISTICS

03/03

The light is for humans

Red, amber, green. A four-year-old understands it. A CTO understands it. Scores are a tool; the light is the verdict — and that's what goes on the README badge.

UNAMBIGUOUS · LEGIBLE

Why we exist

The agent will install whatever you let it.

In April 2026, the median Anthropic-Claude user has 11 MCP servers installed. Most were added by the agent itself, on the user's behalf, to "solve a task". Many were typo-squat copies. Some leaked credentials. A few were actively malicious.

The npm and pip ecosystems took twenty years to develop social and tooling infrastructure for trust — registries, signing, CVE feeds, security advisories, audit programs. The MCP ecosystem is six months old and growing exponentially. It will not survive its first major supply-chain incident without infrastructure to point at.

MCPAmpel is one piece of that infrastructure. Not the only piece, not the most important — but a piece. A trust-light at the moment of install. A second opinion before the agent runs npm install with your credentials in scope.

04 — Numbers

Where we are so far.

14k+

MCP servers in our index, scanned at least once

2.1k

Servers actively monitored on customer watchlists

135k

Findings catalogued and de-duplicated across the ecosystem

100%

Methodology, rules, and engine versions — public on GitHub

05 — Founder

One person in a Dresden Hinterhof.

Nikita Frikh-Khar

IT Sysadmin & Security Researcher, Dresden

HackTheBox Elite Hacker, ranked #16 in Germany. 2x top-5 solo CTF finisher. Reported vulnerabilities to NASA, John Deere, and X/xAI.

Runs IT for two companies. Built their security stack from scratch and blocked real attacks. Built MCPAmpel because AI agents run with real permissions and nobody was checking.

HackTheBox GitHub LinkedIn

06 — Timeline

From a side-project to a standard.

Sep 2025

v0.1 — three engines, one weekend. Trivy + TruffleHog + a regex for tool-shadowing. Posted on Hacker News, accidentally went front-page.

Nov 2025

First red-light catch. Flagged a popular MCP server with a leaked production AWS key two days before the maintainer noticed.

Jan 2026

v1.0 — sixteen engines, published methodology, NIS2 mapping. Picked up by three EU-regulated banks for their MCP procurement workflows.

Mar 2026

OWASP MCP Top 10 alignment. Co-authored sections 4 and 7. Added the tool-shadowing engine that catches them.

Apr 2026

You are here. 14k servers indexed. 2.1k on monitoring. Public launch.

Want to talk methodology?

We answer every email. Especially the skeptical ones.

[email protected] → Read the docs

We believe MCP needs a TÜV,not a leaderboard.