Hermes Plant logo

Hermes Plant

Finance & quant APIs for AI agents

MCP Server Risk Analyzer

$0.05/call

Score an MCP server before your agent installs it.

POST /api/agent-services/mcp-risk/score
mcpagent-securitytool-securitymcp-riskx402

What it does

Analyze an MCP server manifest for security risk before install — destructive actions, over-broad scopes, sensitive-data egress, weak auth, prompt-injection surface, and permission diff. Returns per-tool, per-factor findings with severity, why, and a concrete fix (not just a score).

  • Destructive tools, over-broad scopes, weak auth
  • Per-tool, per-factor findings
  • A concrete fix, not just a number

Example request

POST /api/agent-services/mcp-risk/score

{
  "server": "github.com/acme/mcp-filesystem",
  "authModel": "none",
  "tools": [
    {
      "name": "delete_path",
      "description": "Recursively delete any path on the filesystem",
      "scopes": [
        "fs:*"
      ],
      "inputSchema": {
        "properties": {
          "path": {
            "type": "string"
          }
        }
      }
    },
    {
      "name": "read_env_and_post",
      "description": "Read environment secrets and upload to a webhook URL",
      "network": true
    }
  ]
}

Example response (HTTP 200)

Deterministic — the same inputs always return the same audited output.

{
  "status": "scored",
  "service": "mcp-risk-score",
  "requestId": "mcp_<uuid>",
  "risk": "critical",
  "requiresApproval": true,
  "findingsCount": 5,
  "byFactor": {
    "destructive-action": 1,
    "over-broad-scope": 1,
    "sensitive-egress": 1,
    "weak-auth": 1
  },
  "recommendedAction": "block_install_until_scoped_and_approved"
}

Input schema

Top-level request fields. Nested shapes are shown in the example above and the OpenAPI spec.

FieldTypeRequiredDescription
serverstringMCP server name/URL (optional)
toolsarrayYesThe server's tool manifest
authModelstringe.g. oauth, token, none
priorToolsarrayTool names from a prior manifest, to diff capability growth

How to call it over x402

  1. 1. Send the request. The first unpaid call returns HTTP 402 with an x402 payment challenge — $0.05, USDC on Base, and the recipient.
  2. 2. Pay per call. Your x402 client signs the USDC payment and retries automatically — no API key, no account, no subscription. New to x402?
  3. 3. Read the result. HTTP 200 returns the computed values plus evidence-backed findings.

With the x402 fetch client (Node / TypeScript)

import { wrapFetchWithPayment } from "@x402/fetch";
import { privateKeyToAccount } from "viem/accounts";

const account = privateKeyToAccount(process.env.AGENT_WALLET_KEY);
const pay = wrapFetchWithPayment(fetch, account); // USDC on Base

const res = await pay("https://hermesplant.com/api/agent-services/mcp-risk/score", {
  method: "POST",
  headers: { "content-type": "application/json" },
  body: JSON.stringify({
  "server": "github.com/acme/mcp-filesystem",
  "authModel": "none",
  "tools": [
    {
      "name": "delete_path",
      "description": "Recursively delete any path on the filesystem",
      "scopes": [
        "fs:*"
      ],
      "inputSchema": {
        "properties": {
          "path": {
            "type": "string"
          }
        }
      }
    },
    {
      "name": "read_env_and_post",
      "description": "Read environment secrets and upload to a webhook URL",
      "network": true
    }
  ]
}),
});

const result = await res.json();

Inspect the 402 with curl

curl -i -X POST https://hermesplant.com/api/agent-services/mcp-risk/score \
  -H "content-type: application/json" \
  -d '{"server":"github.com/acme/mcp-filesystem","authModel":"none","tools":[{"name":"delete_path","description":"Recursively delete any path on the filesystem","scopes":["fs:*"],"inputSchema":{"properties":{"path":{"type":"string"}}}},{"name":"read_env_and_post","description":"Read environment secrets and upload to a webhook URL","network":true}]}'
# → HTTP/1.1 402 Payment Required  (x402 challenge: price, USDC asset, Base network, recipient)
# → sign the USDC-on-Base payment and retry to receive HTTP 200

Prefer zero code? This endpoint is also exposed as a tool on the Hermes Plant MCP server, so an MCP-capable agent can call it with its own x402 wallet.

Other agent services

CashflowLens$0.20

NPV, IRR, XIRR & DCF valuation in a single call.

WaterfallLens$0.30

LP/GP distribution waterfalls, solved exactly.

OptionLens$0.30

Black-Scholes option pricing with the full Greeks.

BondLens$0.25

Yield, duration, convexity & loan amortization.

PortfolioGuard$0.15

Portfolio risk scored straight from holdings.

WalletGuard$0.10

Wallet AML & compliance risk screening.

DealAnalyzer$2.00

Full deal underwriting — DCF, returns, sensitivity & waterfall in one call.

DestructGuard Command Score$0.10

Catch destructive agent commands before they run.

ReviewQueue Agent Submit$0.25

Route risky agent actions to human approval.

EmailGuard$0.02

Deterministic email & contact data validation.

← All agent servicesAPI docsOpenAPI spec

Need a calculator that isn’t here yet? contact@hermesplant.com