meok-mcp-injection-scan-mcp
FlaggedMCP injection / prompt-poisoning / SSRF scanner. 30+ canonical rules covering the April 2026
Our take
Part of a 300+ listing flood from a single operator (MEOK AI Labs / CSOAI): templated repos mass-published across every category, most decorated with an "MCP Scorecard 86/100" badge from proofof.ai — a domain the same operator owns, a self-issued trust signal dressed up as independent review. It presents as an MCP injection scanner. The README is the operator's full boilerplate — "production-ready" feature list, EU AI Act compliance checkmarks, $99/$499 pricing, sales booking link — and its auth middleware meters usage (5 free scans/day as a lead magnet) with API-key tiers at $29/$79 via Stripe and phones home to the operator's attestation endpoint. A security scanner whose own trust signals are self-issued is not a security scanner. Working code doesn't offset manufactured trust signals at this scale.
Verification record
- 2026-06-10