ai.shawndurrani/mcp-merchant
Search-only commerce MCP server backed by Stripe (test)
Installation
Security Report
Score Breakdown
Findings (6)
Unclear server purpose and capabilities
The description states 'Search-only commerce MCP server backed by Stripe (test)' but provides no details about what searches are performed, what data is accessed, or what the actual functionality is. The term 'search-only' is vague and doesn't clarify scope.
Remote HTTP endpoint without visible authentication
Server is exposed via remote HTTPS endpoint (https://mcp.shawndurrani.ai/sse). No authentication mechanism is documented. Remote servers are higher risk than local stdio servers as they accept internet connections.
Stripe integration without clear permission boundaries
Integration with Stripe (even in test mode) suggests access to payment/commerce data. Without tool definitions visible and no repository to audit, the actual permissions and data access scope cannot be verified.
No source code repository provided
Server has no associated repository URL, making it impossible to audit the actual implementation, verify security practices, or understand the true capabilities.
Zero tools currently exposed
Server reports 0 tools and no resources. This is either a newly deployed server or tools are dynamically loaded. Cannot assess capability scope without tool definitions.
Semantic Analysis Summary
This server presents moderate-to-high risk due to remote HTTP exposure without documented authentication, vague description of capabilities, and Stripe integration without visible permission boundaries. The lack of a source code repository and unavailable tool definitions prevent proper security auditing. The 'search-only' claim is unverified and the actual scope of commerce data access is unclear.
Last scanned 1h ago
Details
- Version
- 0.1.3
- Transport
- sse
- Capabilities