Independent, reproducible behavioral grades for the MCP servers an onchain agent on Base can use — the projects integrating Base MCP, and the wider DeFi, data, and infrastructure servers that support the network.
16A10B2D· 28 graded · 0 pending · 5 no MCP
Base’s own skill states its plugins are “built by third parties… Base doesn’t operate, endorse, or audit them.” This is that audit — extended to the wider set of Base-supporting MCP servers.
Each server is graded on its own MCP surface. Grades reflect the testable surface (state-changing tools aren’t exercised by default); remote-only servers cap at B (egress unverifiable), npm servers run sandboxed and can reach A, and a C-04 (adversarial-input) failure caps a grade at D. 3rd-party marks a community wrapper rather than the protocol’s own server. These rows are not published — no public badge or report shows them.
Grade
Project
MCP server
ChecksPer-category checks (pass · fail · skip = not run): 01 tool-output injection · 02 egress overreach · 03 sensitive-data handling. C-04 (adversarial input) is graded off-table and caps the letter at D.
AdoptionAdoption score (0–100) — downloads, stars, dependents and release velocity, normalized across tracked servers. Reach, not safety; the grade is the verdict. Registry servers only; remote/untracked show —.
This index is a snapshot. We re-grade Base's MCP servers and skills on a cadence and flag regressions — a dropped grade, a newly failing probe, a changed tool surface — before they reach your users. Set up per network.
C-01 tool-output injection · C-02 permission/egress overreach · C-03 sensitive-data handling · C-04 adversarial input (off-table; caps the letter at D). Adoption is reach (0–100), not safety — the grade is the verdict. Reproduce any grade by re-running the open harness against the same ref. Each server links to its polygraph report; see the full MCP Security Index.