orbisapi-marketplaceupdated
mcpsmitheryOrbis is an API marketplace built for the agent era. Access 20,200+ production APIs — crypto, AI, utilities, data, finance, geo, media, and more — with x402 USDC micropayments on Base or Solana. No accounts. No API keys. No subscriptions. Your wallet is your identity. How it works: Search the catalogue with browse_apis to find what you need with pricing and slugs Call any API with call_api — pass a signed x402 USDC payment header and get real JSON back instantly Your wallet address is your identity — no signup, no monthly plan, no credit card Tools: browse_apis — search across 20,200+ APIs with pricing and category filters call_api — call any API directly with x402 USDC payment on Base or Solana. Pass a signed payment header, get a real JSON response instantly. Configuration: { "mcpServers": { "orbis": { "url": "https://orbisapi.com/api/mcp" } } } Payment: x402 on Base or Solana mainnet (USDC). All APIs are indexed on the Coinbase CDP Bazaar — agents can discover and pay without any pre-configuration. Provider revenue split: 80% to providers, 20% platform fee.
By Smithery | 16 findings | Scanned 5/29/2026 | tooltrust-scanner/v0.3.12
Risk Summary
Needs ApprovalExcessive Permissions plus Dep Visibility raises enough risk that this tool should not be auto-trusted.
Potential impact: The agent may gain overly broad access to files, network, databases, or execution capabilities.
Recommended action: Keep this tool behind manual approval and avoid unattended runs until the risky capabilities are narrowed or removed.
Suggested policy: keep this tool behind manual approval, do not allow unattended runs, and re-scan after narrowing risky permissions.
Security Findings (16)
tool declares network permission
browse_apissubscribe_to_apicall_apiFix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.
input parameter "password" appears to accept a secret or credential
register_agentsubscribe_to_apicall_apiFix: Avoid accepting raw credentials as input parameters. Use secret managers (e.g. 1Password CLI, AWS Secrets Manager) and ensure credentials are never logged or stored in agent traces.
tool declares db permission
browse_apistool declares fs permission
call_apiFix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.
tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration
browse_apissubscribe_to_apicall_apiFix: Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.
call_api:tool declares http permission
Fix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.
Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.
browse_apisregister_agentsubscribe_to_apicall_apiFix: Review and remediate the identified issue.
Scan this tool yourself
Reproduce this audit locally, integrate into CI, or let your agent audit its own tools.
Install once, then scan any MCP server:
$ curl -sfL https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-scanner/main/install.sh | bash$ tooltrust-scanner scan --server "npx -y orbisapi-marketplaceupdated"Adjust the package name if your npm registry name differs from the tool ID. View source
Add badge to your README
Copy this Markdown to show your ToolTrust grade on GitHub.
[](https://github.com/AgentSafe-AI/tooltrust-directory)