Vet – Security registry for 88K+ MCP servers and AI tools

Name: Vet – Security registry for 88K+ MCP servers and AI tools
Availability: InStock
Author: tinnit1

by tinnit1·Mar 6, 2026·1 point·0 comments

Visit Project View on HN

AI Analysis

●●●BangerSolve My ProblemBig BrainShip It

Scanned 88K tools, found 537 malicious—solves real AI supply-chain vulnerability.

Strengths

•Concrete threat detection: identified crypto miners, SSH backdoors, .env exfiltration—not hypothetical risks.
•Verification badges (install, boot, discovery) backed by actual testing, not just static analysis.
•Searchable registry + CLI tool solves immediate friction for teams vetting MCP servers.

Weaknesses

•Trust score methodology (0-100) lacks transparency; unclear how static analysis weights against AI review.
•88K scan coverage unclear: sampling vs exhaustive, false positive rate, update frequency not stated.

Post Description

Hey HN, I built Vet (https://getvet.ai) — a security registry for MCP servers and AI skills.

The problem: when you install an MCP tool, you're giving an AI agent code execution on your machine. I scanned 88K+ tools and found crypto miners, SSH backdoors, prompt injection, and tools silently reading .env files and SSH keys. 537 flagged total.

How it works: - Static analysis + AI security review generates a trust score (0-100) per tool - Verified tools earn badges (install, boot, tool discovery all tested) - Everything is searchable with security-aware ranking

Ways to use it: - Browse: https://getvet.ai/catalog - CLI: `npx @getvetai/cli find "database"` - MCP server (yes, an MCP that discovers MCPs): `npx @getvetai/mcp` - API: `curl https://getvet.ai/api/v1/discover?q=github`

The CLI is open source: https://github.com/getvetai/cli

Free to use. If you build MCP servers, you can claim and get verified.

Would love feedback on the security analysis approach and what data you'd want to see.