CertScore MCP

CertScore website risk-signal tools for scans, findings, evidence, and latest-domain lookups.

CertScore MCP is an npm package (version 0.2.3) published by ai.certscore that exposes website risk-signal capabilities to AI agents through the Model Context Protocol over stdio transport. It is configured with two environment variables: CERTSCORE_API_KEY for authentication and CERTSCORE_BASE_URL to point at the target API endpoint.

According to its description, the server provides tooling around four areas: website scans, findings from those scans, evidence associated with findings, and latest-domain lookups. An agent connected to this server can retrieve risk assessments for websites, surface specific findings tied to a domain, access supporting evidence behind those findings, and look up the most recent data available for a given domain.

This makes it applicable in workflows where an agent needs to programmatically assess the risk posture of a website or domain, such as during vendor evaluation, threat triage, or compliance checking pipelines. Because the server relies on a CERTSCORE_API_KEY, a valid account with the CertScore service is a prerequisite before the server can be used. No tools are currently published in the registry record, so the exact callable surface must be confirmed from the package itself or the upstream repository at github.com/ergoveritas1-alt/certscore.ai.

Use cases

  • Retrieve risk scan results for a domain as part of an automated vendor review workflow
  • Surface security findings associated with a website during a threat triage process
  • Access evidence records backing a specific risk finding for audit or compliance purposes
  • Look up the latest domain risk signal data to monitor changes over time
  • Integrate website risk scoring into an AI-driven due-diligence pipeline

When to use it

  • When an agent needs structured risk-signal data about external websites or domains
  • When building automated compliance or vendor risk workflows that require domain scan results
  • When findings and supporting evidence from website assessments need to be retrieved programmatically

When not to use it

  • When a valid CERTSCORE_API_KEY is not available, as the server requires authentication
  • When transport methods other than stdio are needed
  • When the use case involves databases like Postgres — this server covers web domain risk signals, not relational data
  • When a full, enumerated tool list is required before integration, as no tools are listed in the registry record