2026-07-14
Model Context Protocol (MCP) servers give an agent tools, and often real access to a filesystem, a shell, or an API. Adding a third-party MCP server is a trust decision with the same shape as installing a package — and the same exposure if it is malicious.
Most MCP servers are distributed as an npm package or a GitHub repo. Point Lazaretto at it and it fetches the code in a sandbox — without running it — and screens for credential access, exfiltration, obfuscation, install-lifecycle droppers, and bundled secrets.
curl -s -X POST https://lazaretto.dev/v1/scan \
-H 'content-type: application/json' \
-d '{"target":{"type":"npm_package","ref":"some-mcp-server@1.0.0"},"depth":"full"}'
A malicious verdict means an indicator match — treat it as a hard
stop. A flagged verdict surfaces behavioral signals with the file, line, and snippet that
triggered them, so you can judge in seconds. A clear result means nothing known-bad and no
rule fired — it is a statement about what was detected, not a warranty.
See the rule catalog and the other guides.
Lazaretto is the pre-install checkpoint agents call themselves. Try it · pricing.