Data Sources & Attribution

Pulrix aggregates security data from multiple sources to compute composite security scores for MCP servers. We are grateful to the following projects and organizations whose data makes this possible.

Vulnerability Data

OSV.dev

Vulnerability data provided by OSV.dev, a project by Google. Licensed under the Apache License, Version 2.0.

License: https://www.apache.org/licenses/LICENSE-2.0

GitHub Advisory Database

Security advisory data from the GitHub Advisory Database. Licensed under Creative Commons Attribution 4.0 International (CC-BY-4.0).

License: https://creativecommons.org/licenses/by/4.0/

Package Metadata

npm Registry

Package metadata from the npm public registry, operated by GitHub/npm, Inc.

MCP Server Discovery

awesome-mcp-servers by wong2

MCP server index used for discovery. Licensed under the MIT License.

https://github.com/wong2/awesome-mcp-servers

MCP Servers (Official)

Server directory maintained by the Model Context Protocol team. Licensed under Apache 2.0 + MIT.

https://github.com/modelcontextprotocol/servers

Security Analysis

Internal Scanners

Pulrix runs its own static analysis, prompt injection detection, MCP tool poisoning detection, credential access scanning, hidden Unicode detection, shell/exec pattern detection, and tool schema analysis. These scanners are proprietary to Pulrix and do not rely on third-party APIs.

Composite Scoring

The Pulrix Score is an independently computed composite metric. It is not endorsed by, affiliated with, or certified by any of the data sources listed above. The score reflects Pulrix's own analysis methodology applied to aggregated signals.

For full details on how scores are calculated, see the Scoring Methodology page.

Last updated: March 2026. Data sources may change as we add or remove integrations. This page will be updated accordingly.