ToolTrust
A4/100
Smithery

getgapup-gapup-mcp

mcpsmithery

@Smithery

270+ agent-payable C-suite expertises (competitive intel, SEC filings, sanctions multi-jurisdiction, KYC, pentest scope, clinical evidence GRADE-graded, real-estate deals EU-first, ESG, NAICS classifier, patent landscape, research paper Q&A). x402 USDC/EURC micro-payments. Free tier 100 calls/mo, no credit card. Dual-audience (human/agent).

By Smithery | 450 findings | Scanned 7/16/2026 | tooltrust-scanner/v0.3.19

78 Low372 Info

Risk Summary

Safe With Normal Controls

Dep Visibility is the main signal, but overall risk remains within an acceptable range.

Potential impact: This finding indicates the tool should be reviewed before it is trusted.

Recommended action: No high-risk findings were detected in this scan, but you should still apply least-privilege defaults and rescan after changes.

Suggested policy: keep this tool behind manual approval, do not allow unattended runs, and re-scan after narrowing risky permissions.

Security Findings (450)

  • LowAS-011

    ℹ️Missing Rate-Limit / Timeout ×77

    tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration

    content_rankingftg_investor_directorymarket_research_briefcompetitive_deep_dive_asynckyc_screener_batchai_governance_full_report_asyncaffiliate_fraud_clickstream_detectorai_act_incident_responseai_act_training_data_auditbond_covenant_monitorcontent_evergreen_score_analyzerincident_response_evidence_collectorip_contract_clause_extractorlabor_law_alert_geologistics_esg_incident_trackerma_arbitrage_hunterma_tax_efficiency_mappersocial_engagement_velocity_trackersovereign_data_breach_impacttalent_contract_risk_mappertalent_legal_dashboardx402_liquidity_monitorai_act_sandbox_regulatory_sandboxbond_covenant_esg_compliance_checkerchange_failure_root_cause_classifierdual_use_export_risk_mapperexecutive_comp_peer_benchmarkoss_dependency_velocity_trackerprogrammatic_brand_safety_auditorretail_media_esg_compliancesafety_violation_incident_loggertariff_arbitrage_finderworking_capital_esg_impact_raterworking_capital_fx_hedge_optimizerattack_surface_monitorbattle_plancapital_strategyearnings_reviewerindustry_classifier_naics_sicinsurance_coverage_analyzerpaid_ads_optimizerpentest_scope_estimatorresearch_paper_qasanctions_screener_multisec_filing_decodertax_optimizationworking_capitalrealtime_data_streamsinterest_ratecourt_filings_multigov_procurement_multiweb_search_multilangpatent_landscapereal_estate_intelclinical_pharma_intelusdc_x402_payments_intelsci_literature_searchpatent_landscape_asyncchina_market_dataindia_market_datasharia_compliance_screenermonte_carlo_portfolioearnings_transcript_signalsugc_moderation_classifierchina_ecommerce_inteljob_postings_intelligenceworkflow_orchestratorhistorical_price_seriescandidate_screening_rankinglegal_clause_extractortranscribe_chapterize_mediaseo_cro_auditseo_keyword_researchcompetitor_pricing_scrapetool_recommendcrm_connectorwebhooks_manage

    Fix: Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.

  • LowAS-002

    ⚠️Excessive Permissions

    battle_plan:input schema exposes 11 properties (threshold: 10)

    Fix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.

  • InfoAS-002

    ⚠️Excessive Permissions ×97

    declared capabilities: filesystem access

    content_catalogcontent_enrichmentcontent_similarcontent_audience_profilecontent_comparepitch_deck_storylinecarbon_footprint_calculatortalent_poaching_riskdora_operational_resilience_stress_tescompetitor_profilessustainability_reportdependency_vulnerability_scanesg_audit_multi

    declared capabilities: database access

    content_discoverycontent_taxonomyip_employee_invention_trackercve_security_lookup

    declared capabilities: filesystem access, HTTP requests

    content_rankingftg_investor_directory

    declared capabilities: code/command execution, network access, HTTP requests

    market_research_briefai_governance_full_report_asynccandidate_screening_ranking

    declared capabilities: network access, HTTP requests

    competitive_deep_dive_asynckyc_screener_batchlogistics_esg_incident_trackerpatent_landscape_asyncsharia_compliance_screenerugc_moderation_classifierwebhooks_manage

    declared capabilities: network access

    affiliate_fraud_clickstream_detectorai_act_training_data_auditincident_response_evidence_collectorip_contract_clause_extractorlabor_law_alert_geoma_arbitrage_hunterma_tax_efficiency_mappersocial_engagement_velocity_trackersovereign_data_breach_impacttalent_contract_risk_mappertalent_legal_dashboardbond_covenant_esg_compliance_checkerchange_failure_root_cause_classifieross_dependency_velocity_trackerprogrammatic_brand_safety_auditorretail_media_esg_complianceworking_capital_esg_impact_raterworking_capital_fx_hedge_optimizerattack_surface_monitorcapital_strategyresearch_paper_qasanctions_screener_multitax_optimizationworking_capitalweb_search_multilangpatent_landscapeclinical_pharma_intelsci_literature_searchjob_postings_intelligencehistorical_price_serieslegal_clause_extractortranscribe_chapterize_mediaseo_cro_auditseo_keyword_researchcompetitor_pricing_scrapetool_recommendcrm_connector

    declared capabilities: code/command execution

    ai_act_incident_responsex402_liquidity_monitorai_act_sandbox_regulatory_sandboxexecutive_comp_peer_benchmarksafety_violation_incident_loggertariff_arbitrage_finderbattle_planearnings_reviewerpaid_ads_optimizermonte_carlo_portfolioworkflow_orchestrator

    declared capabilities: HTTP requests

    bond_covenant_monitordual_use_export_risk_mapperpentest_scope_estimatorrealtime_data_streamsinterest_rate

    declared capabilities: network access, filesystem access

    content_evergreen_score_analyzerinsurance_coverage_analyzerusdc_x402_payments_intelchina_market_dataindia_market_datachina_ecommerce_intel

    declared capabilities: code/command execution, network access

    industry_classifier_naics_sicearnings_transcript_signals

    declared capabilities: code/command execution, filesystem access

    sec_filing_decoder

    declared capabilities: filesystem access, environment variables

    corporate_registry_lookupcrypto_wallet_intel

    declared capabilities: network access, filesystem access, environment variables

    court_filings_multi

    declared capabilities: network access, database access, environment variables

    gov_procurement_multi

    declared capabilities: environment variables

    weather_climate_intel

    declared capabilities: network access, environment variables

    real_estate_intel

    Fix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.

  • InfoAS-014

    ℹ️Dependency Inventory Unavailable ×271

    Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.

    content_catalogcontent_enrichmentcontent_discoverycontent_similarcontent_taxonomycontent_audience_profilecontent_provenancecontent_comparecontent_rankingftg_market_gapftg_production_methodsftg_sourcing_buyersftg_opportunity_scoutftg_business_planftg_production_economicsftg_investor_directoryftg_country_regulationsftg_business_ideasftg_country_studyftg_seller_catalogcompetitor_inteltrend_watcherpartnership_synergiespitch_deck_storylinecarbon_footprint_calculatormarket_research_briefcompetitive_deep_divecompetitive_deep_dive_asynccompetitive_deep_dive_resultkyc_screener_batchkyc_screener_batch_resultai_governance_full_report_asyncai_governance_full_report_resultabm_lookalike_account_finderaffiliate_fraud_clickstream_detectorafrica_trade_barrier_breakerafrica_trade_finance_esg_raterafrica_trade_preference_arbitrageafrica_trade_preference_optimizerai_act_incident_responseai_act_training_data_auditbanking_fee_negotiatorbond_covenant_monitorbrand_equity_voice_share_calculatorcloud_cost_ri_optimizercomp_benchmark_geo_deltacontent_evergreen_score_analyzerincident_response_evidence_collectorip_contract_clause_extractorip_employee_invention_trackerlabor_law_alert_geolnd_ai_skill_forecastlnd_skill_taxonomy_builderlogistics_esg_incident_trackerma_arbitrage_hunterma_tax_efficiency_mappermanufacturing_esg_compliance_mappermanufacturing_waste_heatmapobservability_log_pattern_minerobservability_metric_anomaly_detectorpatent_ownership_auditpayment_rails_cost_analyzerprocurement_okr_esg_alignerprocurement_six_sigma_waste_huntersocial_engagement_velocity_trackersocial_influencer_fake_follower_detectorsovereign_data_breach_impactsre_slo_breach_predictortalent_contract_risk_mappertalent_legal_dashboardtalent_litigation_exposuretalent_poaching_risktrade_finance_eligibilityvendor_esg_blacklist_monitorvendor_esg_diversity_scannervertical_ai_agent_governancevuln_exploitability_forecastvuln_patch_priority_enginex402_liquidity_monitorx402_payment_flow_analyzerx402_payment_fraud_detectoradversarial_input_stress_testerai_act_sandbox_regulatory_sandboxbias_amplification_trackerbond_covenant_esg_compliance_checkerchange_failure_root_cause_classifiercode_review_depth_optimizerdora_metrics_deep_divedora_operational_resilience_stress_tesdpdp_consent_artifact_generatordual_use_export_risk_mapperdual_use_tech_diversion_monitorexecutive_comp_peer_benchmarkglobal_salary_inflation_adjusterhallucination_confidence_meterhr_benefits_esg_alignerjailbreak_attempt_detectorlgpd_data_subject_rights_automatormodel_behavior_drift_monitormodel_safety_certification_checkermttr_breakdown_analyzernis2_supply_chain_dependency_maposs_dependency_velocity_trackerossf_scorecard_trend_analyzerprogrammatic_attribution_calibratorprogrammatic_brand_safety_auditorrepo_rate_arbitrage_scannerretail_media_attribution_bridgeretail_media_esg_compliancesabbatical_policy_comparatorsafety_guardrail_breach_analyzersafety_violation_incident_loggersupply_chain_fx_exposure_dashboardsyndicated_loan_covenant_breach_alertsyndicated_loan_pricing_benchmarktariff_arbitrage_findertariff_impact_simulatorworking_capital_esg_impact_raterworking_capital_fx_hedge_optimizerabm_architectaccount_expansion_mapperaction_plan_esgai_governance_pilotanti_demissions_hrattack_surface_monitoraudit_pre_flightbattle_cards_livebattle_planbp_narratifbrand_builderbudget_variance_aicap_table_strategistcapacity_planningcapital_strategycarbon_roadmapchampion_mappingchurn_defenderclinical_evidence_briefercomp_plan_architectcompetitor_movescompetitor_pricing_radarcompetitor_profilescompetitor_recommendationscontent_enginecontract_risk_scannercross_sell_recocustomer_marketingcustomer_voice_synthcyber_risk_auditordeal_coachdeal_structurerdiscovery_prepdiversity_inclusion_metricsdomain_tech_fingerprintearnings_reviewerenps_autoesrs_narrative_builderevent_marketingfraud_detectorfunding_huntergeographic_expansiongl_reconcilergrowth_path_architectindustry_classifier_naics_sicinfra_blueprint_designerinsurance_coverage_analyzerinternal_communicationinvestor_listinvestor_shortlistip_protection_pilotknowledge_base_autokyc_screenerld_architectlead_magnetsma_deal_screenermargin_doctormargin_doctor_financemarket_entry_strategistmarket_sizingmarketing_roi_dashboardmeddic_scoringonboarding_salariesoperational_dashboardsoutbound_sequencerpaid_ads_optimizerpentest_scope_estimatorpositioning_strategistpress_influencerpricing_in_dealpricing_strategistprivacy_compliance_auditprocess_mappingprocess_miningprocurement_spend_optimproposal_generatorqa_pre_flightqbr_autore_deal_screenerrecruiting_architectrenewal_optimizerreputation_engineresearch_paper_qarevops_architectrfp_tender_architectrse_policy_buildersales_enablement_architectsales_pipeline_forecastsanctions_screener_multisave_playssec_filing_decodersentiment_news_pulsestrategic_options_analyzersupplier_esg_auditsustainability_reportsustainability_reporting_pilottax_optimizationterm_sheet_negotiationtreasury_optimizerupsell_huntervendor_managementvendor_risk_assessorwin_loss_decoderworking_capitalfx_raterealtime_data_streamsinterest_rateeconomic_indicatorcorporate_registry_lookupcourt_filings_multigov_procurement_multiweb_search_multilangcve_security_lookupdependency_vulnerability_scanpatent_landscapeweather_climate_intelreal_estate_intelclinical_pharma_intelusdc_x402_payments_intelsci_literature_searchpatent_landscape_asyncpatent_landscape_resultchina_market_dataindia_market_dataemail_domain_health_checksharia_compliance_screenergeo_logistics_inteltax_compliance_multitalent_intelligenceagoa_eba_intelligenceesg_audit_multifinancial_model_3statementcrypto_wallet_intelmonte_carlo_portfolioearnings_transcript_signalsarbitration_awards_lookupugc_moderation_classifierchina_ecommerce_intelclimate_scenario_rcpjob_postings_intelligenceworkflow_orchestratorhistorical_price_seriescandidate_screening_rankinglegal_clause_extractortranscribe_chapterize_mediaseo_cro_auditseo_keyword_researchcompetitor_pricing_scrapetool_recommendcrm_connectorwebhooks_managejob_result

    Fix: Review and remediate the identified issue.

  • InfoAS-010

    🔑Insecure Secret Handling ×4

    input parameter "snykToken" accepts a credential (informational; not evidence of insecure handling)

    mttr_breakdown_analyzer

    input parameter "githubToken" accepts a credential (informational; not evidence of insecure handling)

    mttr_breakdown_analyzer

    input parameter "credentials" accepts a credential (informational; not evidence of insecure handling)

    crm_connector

    input parameter "secret" accepts a credential (informational; not evidence of insecure handling)

    webhooks_manage

    Fix: Avoid accepting raw credentials as input parameters. Use secret managers (e.g. 1Password CLI, AWS Secrets Manager) and ensure credentials are never logged or stored in agent traces.

Scan this tool yourself

Reproduce this audit locally, integrate into CI, or let your agent audit its own tools.

Install once, then scan any MCP server:

$ curl -sfL https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-scanner/main/install.sh | bash
$ tooltrust-scanner scan --server "npx -y getgapup-gapup-mcp"

Adjust the package name if your npm registry name differs from the tool ID. View source

Add badge to your README

Copy this Markdown to show your ToolTrust grade on GitHub.

[![ToolTrust Grade A](https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-directory/main/docs/badges/grade-a.svg)](https://github.com/AgentSafe-AI/tooltrust-directory)