B+

network.mercury-hq.com

https://network.mercury-hq.com/mcp
89/100 · MCP Trust Grade · checked 1h ago · MCP 2025-06-18

Is the network.mercury-hq.com MCP server safe to use?

Independent trust grade B+ (89/100). No blocking issues found in the static + spec checks. wmcp.sh continuously watches network.mercury-hq.com for tool drift and rug-pulls. The grade is free and identical whether or not the operator pays.

Watched since 2026-07-03 — behavioral baseline locked. We re-check this server's tool surface on a schedule; if it adds, removes, or silently rewrites a tool (rug-pull), we record it.

What it offers — 18 tools · Developer Tools

fetch

VERIFIABLE keyless web-read for autonomous agents. Every result ships a cryptographically SIGNED provenance receipt (EIP-191 over sha256(text)+url+sta

extract

TYPED structured extract for autonomous agents — URL + schema → a clean, type-safe JSON record. Where /buy/fetch returns page TEXT (and ?extract= retu

markdown

URL → clean, LLM-ready markdown (boilerplate/nav/ads stripped, headings + lists + links preserved) with a signed provenance receipt pinning the markdo

metadata

URL → one typed, SIGNED metadata record (JSON-LD + OpenGraph + Twitter-card + standard <meta> + canonical + title), by source. Deterministic, keyless,

links

URL → a SIGNED outbound/internal link graph: every <a href> as an absolute URL + anchor text, classified internal vs external against the page origin,

robots

Domain → signed, timestamped per-AI-crawler allow/block audit from robots.txt + llms.txt + ai.txt (GPTBot, ClaudeBot, PerplexityBot, Google-Extended,

diff

URL + prior content-hash (or prior text) -> refetch, deterministic change-proof: changed? + a NEW signed receipt binding fromHash->toHash. Stateless;

notarize

Notarize any content (inline ?content= or a fetched ?url=) into a signed, offline-verifiable provenance receipt — sha256 contentHash + witnessed times

headers

URL → a deterministic HTTP security-headers audit (HSTS, CSP, X-Frame, X-Content-Type, Referrer-Policy, Permissions-Policy + more) with a letter grade

table

URL in → the page's main HTML <table>(s) parsed into typed, header-keyed rows (JSON) + clean RFC-4180 CSV, with a signed provenance receipt over the e

feed

RSS/Atom feed URL → a SIGNED, normalized item list [{title,link,published,summary}] unified across RSS 2.0/RDF + Atom 1.0: CDATA unwrapped, HTML strip

availability

URL → a signed uptime/status probe: up/down, HTTP status + class, reachability reason, final URL after redirects, and a measured responseMs — wrapped

validate

URL (a JSON/API endpoint) + a JSON Schema in → a deterministic pass/fail with per-field errors (missing/wrong-type/enum/range/pattern), plus a signed

batch

List of URLs (≤20) → clean content for each + ONE signed receipt committing to a MERKLE ROOT over every page's contentHash. Tamper-evident multi-page

sitemap

Domain/URL → a SIGNED snapshot of the site's PUBLISHED sitemap: discovers the sitemap via robots.txt Sitemap: lines then /sitemap.xml fallback, parses

dns

Domain → a SIGNED, timestamped DNS snapshot (A, AAAA, MX, NS, TXT, CNAME, SOA), normalised + sorted into a byte-stable record set with an offline-veri

readability

URL → a clean ARTICLE record { title, byline, publishedAt, article text } with boilerplate (nav/header/footer/sidebar/ads/share-bars/comment-forms) st

redirect

URL → a SIGNED redirect/canonical resolution: the full hop chain [{url,status}] from the link you have to where it ACTUALLY lands, the final resolved

Spec conformance20%100
Security (OWASP MCP)30%100
Reliability / performance20%84
Tool hygiene15%80
Transparency / provenance15%70

Observed behavior

No proxied traffic observed for this host yet. Connect it at /connect and its grade gains a measured Reliability score + per-tool behavioral evidence — the half a static scan can't produce.

Findings

No blocking issues found in the static + spec checks.
Grade another server

We re-grade network.mercury-hq.com on a schedule and alert your Slack/webhook the moment its tools change or its grade drops — rug-pull insurance for the connection.

Run network.mercury-hq.com? Claim it (free) to get drift alerts and show an independently-verified trust badge. The grade stays free — claiming just ties it to you.

Share this report card

A 1200×630 card with the grade + audit — drop it in a post, Slack, or your repo.

MCP Trust report card — network.mercury-hq.com grade B+
Share on X Open card image

Embed this grade

A live badge — it re-verifies itself and shows current stability. Static scorecards can't. Paste it in your README or site to show users you're independently audited.

MCP Trust Grade B+ · wmcp.sh
[![MCP Trust Grade B+](https://wmcp.sh/mcp/grade/network.mercury-hq.com/badge.svg)](https://wmcp.sh/mcp/grade/network.mercury-hq.com)
<a href="https://wmcp.sh/mcp/grade/network.mercury-hq.com"><img src="https://wmcp.sh/mcp/grade/network.mercury-hq.com/badge.svg" alt="MCP Trust Grade B+ · wmcp.sh"></a>

Agents: check this before connecting

Add the wmcp.sh trust oracle as an MCP server and call grade_mcp_server / check_mcp_drift in your agent's pre-connection gate:

https://wmcp.sh/mcp/trust
How this grade is computed. An open, independent rubric — Spec conformance (20%), Security mapped to the OWASP MCP Top 10 (30%), Reliability (20%), Tool hygiene (15%), Transparency (15%) — run by connecting to the server and inspecting its real MCP surface. The grade is free and identical whether or not the operator pays. v1 uses static + spec signals from a single connection; continuous uptime, real latency, and annotation-truthing (declared readOnly vs observed behavior) layer on via the wmcp.sh proxy.