Documentation Index
Fetch the complete documentation index at: https://docs.golf.dev/llms.txt
Use this file to discover all available pages before exploring further.
Golf Inventory audits every discovered MCP server against 35+ security checks. This page explains how to interpret the results.
Risk Scoring
Golf Inventory uses the same 0–100 scoring model as the OSS Scanner:
- Each check produces findings with a severity (critical, high, medium, note)
- Per-check scores are combined using severity-weighted averages
- Hard caps enforce maximum scores: any critical finding caps at 30, any high finding caps at 59
- Risk levels: Low (≥60), Moderate (>30), High (≤30)
See the Scanner scoring documentation for the full algorithm.
Governance Classification
Every discovered server is classified into one of three governance states:
| Classification | Description |
|---|
| Proxied | Server URL matches a Golf Gateway upstream. Traffic flows through the gateway, enabling threat detection, audit logging, rate limiting, and PII scrubbing. |
| Known | Server exists in Control Plane configuration (assigned to a gateway or added as a known server), but the employee connects directly, bypassing gateway controls. |
| Shadow | Not configured in Control Plane at all. Unmanaged and ungoverned — no visibility into what data flows through it. |
Finding Categories
Findings are organized into 12 categories:
| Category | Description |
|---|
| NHI exposure | Non-human identity credentials exposed in configuration |
| Credential access | Plaintext credentials in arguments, URLs, or environment variables |
| Vulnerable packages | Known CVEs or malware in npm/PyPI packages |
| Typosquatting risk | Package names similar to known packages — possible supply chain attack |
| Toxic combinations | Dangerous combinations of capabilities (e.g., read secrets + external network) |
| Prompt injection | Tool descriptions containing injection patterns |
| Command injection | Shell injection metacharacters or dangerous command patterns |
| Authentication risk | Missing or weak authentication on public servers |
| Unsandboxed | Server running without container isolation or restrictive permissions |
| Outdated/unmaintained | Archived repositories, low adoption, or missing source code links |
| Capabilities not fetched | Server capabilities have not been retrieved yet |
| Custom server | Server not found in any registry — requires manual review |
Sandbox Analysis
Server source code is executed in an isolated cloud sandbox. The analysis examines:
- Dependency tree and count
- External domains the server communicates with
- Secrets embedded in source code
- Overall risk profile
Results are returned as severity levels from CRITICAL (deny recommendation) to NOTE (low risk).
Capability Analysis
All server tools, prompts, and resources are analyzed for holistic risk assessment. The analysis produces per-tool assessments across seven risk categories (see below).
Tool descriptions and input schemas are analyzed for prompt injection patterns:
- Prompt override instructions
- Data exfiltration instructions
- Cross-tool manipulation
- Obfuscation techniques (ANSI codes, zero-width characters, bidirectional text)
Description Change Detection (TOFU/Rug-Pull)
A trust-on-first-use (TOFU) system that establishes baseline hashes for tool descriptions on the first scan. Subsequent scans compare against the baseline and flag any changes — detecting rug-pull attacks where a tool description is modified after initial trust.
Seven Risk Categories
Capability analysis produces assessments across seven risk categories:
| Category | Description |
|---|
| Destructive tools | Tools that can delete, destroy, or corrupt data |
| Open world access | Tools with unrestricted external access |
| Sensitive data access | Tools accessing credentials, PII, or financial data |
| Code execution | Tools executing arbitrary code or shell commands |
| Write operations | Non-idempotent state changes |
| Broad scope | Over-privileged tools with excessively wide permissions |
| Toxic combinations | Dangerous combinations of capabilities (e.g., read secrets + external network access) |
