ToolTrust
C47/100
Smithery

segellfosc-dev-ayfx-menjometre

mcpsmithery

@Smithery

Menjometre is an independent observatory of Catalan public spending. This MCP server gives any LLM client read-only access to the full dataset and the statistical scoring layer built on top of it. ## Coverage - **~19.5 M** grant records from the Registre d'Ajuts i Subvencions de Catalunya (RAISC), 2016–present - **~1.7 M** public procurement contracts from Dades Obertes de Catalunya - **~496 K** beneficiary entities with normalised identities - A **public-figure graph** linking Parlament deputies, Generalitat officials, and the boards of publicly-funded entities - The **Menjometre score** — a statistical indicator flagging concentration and recurrence patterns in public spending ## What the 48 tools cover | Domain | What you can ask | |---|---| | `entities` | Search, profile, network, activity timeline for any funded organisation | | `grants` | RAISC lookups, concentration analysis, purpose trees, year-over-year trends | | `contractes` | Procurement lookups, sole-source detection, fragmentation patterns | | `organs` | Granting-body rankings and profiles | | `xarxa` | Public-figure graph, shortest path between two people, cluster investigation | | `pressupostos` | Generalitat budget surface | | `meta` | Methodology, scoring explanation, upstream attribution manifest | ## Example prompts - *"Which ten Catalan entities received the most RAISC funds in 2024?"* - *"Show me the concentration profile of the entity with CIF A08000143."* - *"Which grant-giving bodies award the largest share of their budget to a single beneficiary?"* - *"What percentage of Ajuntament de Girona's contracts are sole-source?"* - *"Explain how the Menjometre score is computed."* ## Response envelope Every tool response ships with four things: 1. **Attribution** — a `sources` array citing the upstream dataset, licence (CC-BY-4.0 / Llei 37/2007), and publisher 2. **Scope predicate** — personal-data filters enforced at the database query, not client-side 3. **Framing** — scored responses embed a `score_meta` block with a `not_an_accusation` disclaimer and a link to the methodology page 4. **Neutral statistical language** — the server returns "top decile", "around the median", never accusatory framing Safe for journalism, academic research, and civic-tech tooling. ## Install via npm ```json { "mcpServers": { "menjometre": { "command": "npx", "args": ["-y", "menjometre-mcp"] } } } Also reachable directly over Streamable HTTP at https://www.menjometre.cat/mcp.

By Smithery | 72 findings | Scanned 6/3/2026 | tooltrust-scanner/v0.3.13

9 High5 Medium10 Low48 Info

Risk Summary

Needs Approval

Dep Visibility plus Excessive Permissions raises enough risk that this tool should not be auto-trusted.

Potential impact: This finding indicates the tool should be reviewed before it is trusted.

Recommended action: Keep this tool behind manual approval and avoid unattended runs until the risky capabilities are narrowed or removed.

Suggested policy: keep this tool behind manual approval, do not allow unattended runs, and re-scan after narrowing risky permissions.

Security Findings (72)

  • HighAS-002

    ⚠️Excessive Permissions ×7

    tool declares network permission

    searchget_xarxa_statsget_xarxa_by_comarcaget_source_documentsfetch_source_document

    tool declares exec permission

    get_pressupostos_hubfetch_source_document

    Fix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.

  • HighAS-003

    🔀Scope Mismatch ×2

    tool name "get_pressupostos_hub" implies read-only operation but declares exec permission

    get_pressupostos_hub

    tool name "fetch_source_document" implies read-only operation but declares exec permission

    fetch_source_document

    Fix: Ensure tool names, descriptions, and permission declarations are internally consistent. Use explicit naming conventions that fully reflect actual capabilities.

  • MediumAS-002

    ⚠️Excessive Permissions ×5

    tool declares fs permission

    get_entityget_entity_financialsget_politicianget_organget_ens_public

    Fix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.

  • LowAS-011

    ℹ️Missing Rate-Limit / Timeout ×8

    tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration

    searchget_lobby_meetingsget_pressupostos_hubget_fiscal_deficitget_xarxa_statsget_xarxa_by_comarcaget_source_documentsfetch_source_document

    Fix: Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.

  • LowAS-002

    ⚠️Excessive Permissions ×2

    tool declares http permission

    get_lobby_meetingsget_fiscal_deficit

    Fix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.

  • InfoAS-014

    ℹ️Dependency Inventory Unavailable ×48

    Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.

    searchlist_filter_optionsget_dataset_statsget_entityget_entity_grantsget_entity_contractsget_entity_financialsget_entity_risk_analysisget_rankingscompare_entitiesget_politicianget_politician_salary_historylist_carrecsget_partyget_politica_hubget_porta_giratoriaget_politician_conflictsget_entity_conflictsanalyze_conflict_of_interestdetect_undisclosed_conflictsget_lobby_meetingsget_organlist_organsget_ens_publiclist_ens_publicsget_pressupostos_hubget_budget_by_departmentget_budget_partidesget_efficiency_analysisget_fiscal_deficitget_budget_transfersget_yearly_trends_budgetget_xarxa_statsget_xarxa_by_comarcaget_person_networkget_entity_networkfind_shortest_pathget_network_hubsdetect_clustersinvestigate_clusteranalyze_contract_networkget_equivalenciesget_yearly_trendsexport_dataget_methodologyget_source_documentslist_documents_for_entityfetch_source_document

    Fix: Review and remediate the identified issue.

Scan this tool yourself

Reproduce this audit locally, integrate into CI, or let your agent audit its own tools.

Install once, then scan any MCP server:

$ curl -sfL https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-scanner/main/install.sh | bash
$ tooltrust-scanner scan --server "npx -y segellfosc-dev-ayfx-menjometre"

Adjust the package name if your npm registry name differs from the tool ID. View source

Add badge to your README

Copy this Markdown to show your ToolTrust grade on GitHub.

[![ToolTrust Grade C](https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-directory/main/docs/badges/grade-c.svg)](https://github.com/AgentSafe-AI/tooltrust-directory)