The Problem
Base MCP lets AI agents — Claude, ChatGPT, Cursor, and others — connect to your Base Account via OAuth and perform wallet operations: view balances, send tokens, swap, deposit into DeFi vaults, borrow, repay, and sign messages. Every write action goes through a user approval flow.
But there is no registry. No audit layer. No way to verify what a third-party MCP plugin actually does before your agent connects to it.
Plugins can request wallet access, prepare arbitrary transactions, trigger token approvals via EIP-712 Permit2, and interact with any smart contract. An agent operating autonomously may execute these actions in sequence without per-action user review.
The Trust Gap
No verification exists between the plugin and your wallet. Nullsec fills this gap.
Unlimited Approvals
Plugins can request ERC-20 token approvals with unlimited allowance to unverified spender contracts, draining tokens at any future time.
Unaudited Contracts
MCP tools may interact with smart contracts that have never been audited, exposing your wallet to exploits, rug pulls, and reentrancy attacks.
Opaque Proxy Routing
External API calls may route through opaque proxy servers, enabling man-in-the-middle attacks on price feeds, oracle data, and transaction parameters.
The Scan Pipeline
When you submit an MCP server URL, Nullsec runs a 6-step analysis pipeline in real time. The entire process takes 5–15 seconds.
HTTP Reachability
A HEAD request probes the endpoint with a 5-second timeout. If HEAD is rejected, a GET fallback is attempted. This confirms the server exists and responds.
HEAD https://mcp.example.com → 200 OK (143ms)
MCP Protocol Handshake
A JSON-RPC initialize message is sent following the MCP Streamable HTTP specification. The scanner parses the server's name, version, and declared capabilities from the response.
POST {"jsonrpc":"2.0","id":1,"method":"initialize","params":{...}} → serverInfo: {name, version}
Tool Discovery
After sending a notifications/initialized confirmation, the scanner calls tools/list to enumerate every tool the MCP server exposes. Each tool's name, description, and input schema are extracted.
POST {"method":"tools/list"} → tools: [{name: "swap_tokens", description: "..."}, ...]
Permission Classification
Each discovered tool is classified as read, write, or critical by matching its name and description against keyword dictionaries. The tool name is normalized into a permission string (e.g. swap_tokens → swap:tokens).
swap_tokens → write | approve_token → critical | get_balance → read
Risk Scoring
Four risk axes are computed from the classified tools: Contract Interaction, Approval Risk, Slippage Risk, and External Call Risk. A weighted formula produces the final 0-100 risk score. Unreachable endpoints incur additional penalties.
final = contract×0.30 + approval×0.35 + slippage×0.15 + external×0.20 + penalties
Report Generation
The analyzer produces context-aware findings, determines the agent autonomy level, and assigns a recommendation (SAFE / REVIEW / BLOCK) and verification status. The complete report is stored and returned.
Graceful Degradation
If an endpoint is unreachable or requires OAuth (like Base MCP itself), the scanner records the failure and falls back to URL-based heuristic analysis. Permissions are inferred from the domain and path structure. The report clearly notes that MCP protocol was not confirmed.
The Risk Model
Every plugin is scored across four independent risk axes. Each axis measures a distinct threat vector relevant to onchain MCP operations.
Risk Axes
Contract Interaction Risk
30%Measures exposure to direct smart contract calls. Triggered by tools that deploy, call, or interact with vaults, pools, markets, or routers.
Approval Risk
35%The highest-weighted axis. Measures token approval operations including ERC-20 approve, Permit2 signatures, and allowance management.
Slippage Risk
15%Evaluates swap and trade operations where slippage tolerance affects execution price. Triggered by DEX, AMM, and routing tools.
External Call Risk
20%Assesses dependencies on external APIs, oracles, price feeds, and proxy servers that could be manipulated or compromised.
Scoring Formula
riskScore = contractInteractionRisk × 0.30
+ approvalRisk × 0.35
+ slippageRisk × 0.15
+ externalCallRisk × 0.20
+ (unreachable ? 15 : 0)
+ (reachable but not MCP ? 8 : 0)Classification Thresholds
Recommendation: SAFE
Recommendation: REVIEW
Recommendation: BLOCK
Agent Autonomy Levels
Permission Classification
Supported Chains
Base MCP supports 7 mainnets and 1 testnet. Nullsec analyzes plugins operating across all supported networks.
API Reference
All endpoints return JSON. No authentication required. Rate limiting may apply in production.
List all indexed plugins, sorted by risk score ascending. Optionally filter by verification status.
Request
curl https://mcp.trynullsec.com/api/plugins
curl https://mcp.trynullsec.com/api/plugins?status=verifiedResponse
[
{
"id": "base-swap",
"name": "Base Swap MCP",
"status": "verified",
"riskScore": 12,
"permissions": [...],
"securityReport": {...}
},
...
]Retrieve a single plugin with full security report, permissions, and metadata.
Request
curl https://mcp.trynullsec.com/api/plugins/base-swapResponse
{
"id": "base-swap",
"name": "Base Swap MCP",
"developer": "Base Core",
"version": "2.1.0",
"status": "verified",
"riskScore": 12,
"mcpEndpoint": "mcp.base.org/swap",
"permissions": [
{"name": "wallet:read", "level": "read"},
{"name": "swap:execute", "level": "write"},
{"name": "token:approve", "level": "critical"}
],
"securityReport": {
"contractInteractionRisk": 15,
"approvalRisk": 22,
"slippageRisk": 18,
"externalCallRisk": 5,
"agentAutonomyLevel": "medium",
"recommendation": "safe",
"findings": [...]
}
}Submit a new MCP endpoint for live scanning. The scanner probes the URL, performs an MCP handshake, discovers tools, and generates a security report. Returns the created plugin. Takes 5-15 seconds.
Request
curl -X POST https://mcp.trynullsec.com/api/plugins \
-H "Content-Type: application/json" \
-d '{"url": "https://mcp.example.com", "name": "My Plugin", "developer": "Acme"}'Response
{
"id": "mcp-example-com",
"name": "My Plugin",
"status": "pending",
"riskScore": 42,
"securityReport": {
"recommendation": "review",
"findings": [
"MCP server identified: example-server v1.0.0",
"8 tool(s) discovered via MCP tools/list",
"2 critical permission(s): token:approve, contract:call",
...
]
}
}Re-scan an existing plugin. Probes the endpoint again, re-analyzes tools, and updates the security report with a fresh timestamp.
Request
curl -X POST https://mcp.trynullsec.com/api/plugins/base-swap/scanResponse
{
"id": "base-swap",
"riskScore": 12,
"lastScanned": "2026-05-26T19:30:00.000Z",
"securityReport": {...}
}Aggregate statistics across all indexed plugins.
Request
curl https://mcp.trynullsec.com/api/statsResponse
{
"total": 6,
"verified": 4,
"pending": 1,
"blocked": 1
}For Plugin Developers
How to get your Base MCP plugin verified by Nullsec and what the scanner evaluates.
Getting Verified
Submit your MCP server URL at mcp.trynullsec.com. The automated scanner will probe your endpoint, discover your tools, and generate a security report. Plugins with a risk score below 35 automatically receive VERIFIED status.
What the Scanner Checks
Server must respond to JSON-RPC initialize and tools/list
Each tool is classified by its name and description keywords
Token approvals should be scoped to exact amounts, not unlimited
Smart contract interactions are flagged if not in known audit registries
Oracle, API, and proxy calls are tracked as external risk vectors
Ratio of critical+write tools to total determines agent freedom
Best Practices to Lower Your Risk Score
Scope token approvals to exact amounts
Never request unlimited allowance. Match approval to the deposit or swap size. This directly reduces your Approval Risk axis.
Use audited smart contracts only
Interact with contracts from known, audited protocols. Unverified contract targets significantly increase Contract Interaction Risk.
Expose minimal permissions
Only register tools your plugin needs. Fewer write and critical tools means a lower autonomy level and better risk score.
Avoid external proxy routing
Make RPC calls directly to verified endpoints. Routing through third-party proxies raises External Call Risk and erodes trust.
Enforce slippage caps
If your plugin performs swaps, enforce a maximum slippage tolerance (recommended: 2% or less). This reduces Slippage Risk.
Provide descriptive tool names
The scanner classifies tools by name and description. Clear, specific names like get_token_balance produce more accurate classifications than ambiguous names like do_action.
Ready to scan?
Paste any MCP server URL. Get a full security report in 10 seconds.