HomeReadTools deskMarketNow brings security audits to the MCP server marketplace
Tools·Jul 13, 2026

MarketNow brings security audits to the MCP server marketplace

While other marketplaces for Model Context Protocol (MCP) servers compete on catalog size, MarketNow focuses on security, offering a multi-layer audit pipeline to vet servers for malicious behavior…

While other marketplaces for Model Context Protocol (MCP) servers compete on catalog size, MarketNow focuses on security, offering a multi-layer audit pipeline to vet servers for malicious behavior before you run them.

THE ANSWER UP FRONT

MarketNow is for developers building with MCP servers who handle sensitive data or operate in production environments. Its security-first approach is a necessary safeguard in an ecosystem with no native sandboxing. You should skip it if your use case is purely experimental, non-sensitive, and you need the absolute largest selection of servers for discovery, in which case the larger, unaudited PulseMCP might be a starting point. The bottom line: MarketNow is the only marketplace treating the MCP ecosystem like a real software supply chain, where running untrusted code from the internet is a verifiable risk.

METHODOLOGY

This is a v0 review of MarketNow, observed on July 8, 2026. It draws exclusively on the founder's published claims and market comparison in a blog post on dev.to, available at https://dev.to/edison_flores_6d2cd381b13/mcp-server-marketplaces-compared-smithery-vs-glama-vs-pulsemcp-vs-marketnow-2e83. This analysis covers the founder's description of the MarketNow security model, its position relative to competitors (Smithery, Glama, PulseMCP), and the specific claims made about vulnerabilities found in public MCP servers. What's not covered is any independent performance testing, verification of the Sentinel security pipeline, or hands-on workflow integration. All performance and security figures are founder-reported claims. Update cadence: this review will be updated to v1 when independent verification of the audit pipeline is possible.

WHAT IT DOES

MarketNow is a registry for MCP (Model Context Protocol) servers that prioritizes security over catalog size. The founder, Edison Flores, argues that while discovery is a solved problem, trust is not. Running an MCP server via a command like npx grants it significant access to local credentials, network, and environment variables. MarketNow aims to mitigate this risk.

A security-audited marketplace

Unlike competitors that aggregate thousands of servers without security checks, MarketNow subjects every server in its catalog (currently 8,764) to an automated audit. The founder reports that this process found 3 servers that leaked environment variables when prompted with specific inputs. This is the core differentiator: treating MCP servers as a potential attack vector and providing a layer of defense.

The Sentinel security pipeline

The audit process, named Sentinel, is described as a multi-layer pipeline. The founder details four of these layers:

  • L1.5: Static analysis for dependency vulnerabilities, leaked secrets, and license compliance.
  • L1.6: Pattern-based behavioral analysis.
  • L2 v2.0: An active probe that sends over 60 adversarial inputs to test server responses.
  • L2.5: A gVisor sandbox for userspace kernel isolation, providing a hardened runtime environment. The founder notes this is the most intensive layer and currently covers 206 servers.

Verifiable certificates

Upon completion of the audit, each server is issued a signed SHA-256 certificate with a security score from 0-10. This allows users to verify that the server they are about to install has passed the MarketNow audit and to check its specific score at marketnow.site/verify.

WHAT'S INTERESTING / WHAT'S NOT

The most interesting aspect of MarketNow is its framing. It correctly identifies the core risk of the emerging MCP ecosystem: a lack of sandboxing combined with a frictionless installation culture (npx -y some-random-package) creates a perfect environment for supply chain attacks. The claim that 3 of 8,764 audited servers actively leaked environment variables is a concrete, alarming data point that validates this entire approach. If true, it means the risk is not theoretical.

The founder's transparency is also a strong signal. The post is candid about MarketNow's gaps: a smaller catalog than PulseMCP (8,764 vs. 21,000+), incomplete coverage for its most advanced sandbox (L2.5), and the lack of a third-party audit. This honesty builds more trust than a marketing site that pretends to have no weaknesses.

What's less developed is the business model. The source mentions paid features ranging from $0.99 to $9.99, but doesn't specify what they are. For a security product, the path to monetization is critical. Are users paying for more detailed audit reports, private server scanning, or team-based policy controls? This remains unclear. The core auditing and certification appears to be free, which is great for adoption but leaves questions about long-term sustainability.

PRICING

  • Free Tier: Includes access to the audited registry and server security certificates.
  • Paid Features: The founder mentions paid tiers from $0.99 to $9.99, but does not detail what these include.
  • Competitors Smithery, Glama, and PulseMCP are described as fully free.

(Pricing snapshot taken July 8, 2026.)

VERDICT

For any developer using MCP servers in a professional capacity, MarketNow should be the default starting point. The risk of exposing credentials or environment variables by running unaudited, third-party code is simply too high. While its catalog of 8,764 servers is smaller than the 21,000+ on PulseMCP, the security assurance is worth the trade-off. The founder's claim of finding active credential leaks in public servers makes the value proposition stark. Use other marketplaces for broad discovery if you must, but use MarketNow to verify trust before you install.

WHAT WE'D TEST NEXT

A v1 review would require independent verification of the Sentinel pipeline. First, we would construct a test MCP server designed to leak environment variables and see if the L1.5-L2 audit process can detect it. Second, we would want to understand the efficacy of the L2.5 gVisor sandbox. What specific classes of exploits does it prevent, and what are its performance overheads? Finally, we would analyze the paid features to understand the business model and determine if they offer compelling value for teams or professional developers.

The investor read

MarketNow is a bet that the MCP ecosystem will mature from a hobbyist community into a professional one where security and compliance become primary concerns. This mirrors the evolution of package managers (npm audit) and container registries (Docker Hub vulnerability scanning). By establishing the first security-focused brand, MarketNow could build a moat based on trust and proprietary audit data. The business is currently a solo-founder operation, making it a small, targeted play. Investability hinges on two factors: the continued growth and standardization of the MCP protocol itself, and MarketNow's ability to convert its security leadership into a sustainable revenue model, likely through enterprise features like private registry scanning, policy enforcement, and detailed compliance reports. It's an early but well-positioned 'picks and shovels' play for a new protocol.

Sources · how we verified
  1. MCP server marketplaces compared: Smithery vs Glama vs PulseMCP vs MarketNow

Every claim ties to a primary source. See our methodology.

Reported by the Riley desk on Founderr Pulse’s Tools beat. Every factual claim is tied to a primary source and linked; anything that can’t be stood up doesn’t run. Founderr (RIKHATH LLC) is the accountable publisher and corrects in place. How we work · About · File a correction.
R
Riley

The Riley desk covers tools — what founders are building with, switching to, and abandoning. Every claim is sourced and linked. Operated by Founderr (RIKHATH LLC) See the desk →

Founderr Pulse — free & independent. The desk for people who build & back.