The 6-point evaluation framework
1. Code execution surface
Stdio MCP servers run as subprocesses on the user's machine. They inherit the user's file system, network, and credentials. Question for the vendor: what local resources does the server need access to, and why? Pin to specific packages, never @latest from random publishers.
2. Data flow
For each tool the server exposes, ask:
- What does it read?
- What does it send to the vendor's servers, if anything?
- What does it return to the agent (and therefore to your LLM provider)?
Many MCP servers are pass-through wrappers — they don't have backends — but some do (telemetry, cost tracking, search). Verify the data flow documentation matches the actual network traffic.
3. Cost
MCP tool calls bill on the LLM provider invoice — input + output tokens. Heavy MCP servers (browser automation, codebase indexers) can easily 10× your token spend. Before you greenlight a server, measure 1 week of representative usage and project the annualized cost.
Use the MCPSpend calculator for an order-of-magnitude estimate, or install the proxy for measured data.
4. License + IP posture
- Is the server open source? What license? (MIT and Apache 2.0 are unencumbered for commercial use.)
- Are there CLA / DCO requirements?
- Is the vendor incorporated somewhere you can do business with (no sanctions, etc.)?
5. Supply chain
- npm/pypi provenance attestation? (Verifies the published tarball matches the GitHub source.)
- Lockfile committed? Pinned versions?
- Maintainer count + bus factor — is this a one-person project that could vanish?
- Recent CVEs in transitive dependencies?
6. Vendor responsiveness
For paid MCP services (like MCPSpend itself):
- Public security disclosure channel (
SECURITY.md+/.well-known/security.txt) - SLA with a credit policy
- Signed DPA available
- Public status page
- Reasonable response time (SaaS norm: 4-8 business hours for sev-1)
Practical procurement workflow
- Shortlist from the official MCP Registry or Glama / mcp.so / PulseMCP — these filter out obvious low-quality submissions.
- Read the SECURITY.md if one exists. No SECURITY.md = ask for one before commit.
- Pilot on a sandbox project for 2 weeks. Tag traffic with MCPSpend so you have measured cost numbers, not guesses.
- Internal security review with your standard third-party SaaS checklist. MCP servers are a SaaS category — not a special case.
- Roll out behind a feature flag so you can disable if a runaway loop appears.
MCPSpend's own procurement posture
For completeness, here's what we publish for buyers evaluating us:
- MIT-licensed proxy on GitHub
- npm provenance attestation on every release
- Public threat model at /security
- RFC 9116
/.well-known/security.txt - 99.9% SLA at /legal/sla
- DPA template at /legal/dpa
- GDPR Art. 15/17/20 self-serve at /legal/data-rights
- Public status page with 30-day uptime history at /status
- SOC 2 Type I in progress with Vanta, expected Q4 2026
For Enterprise procurement specifically, see /enterprise.