MCP Directory Review: Required changes for directory inclusion #31
Description
Hi from Anthropic, we are reviewing your MCP server for inclusion in the MCP directory, and noticed a few issues that need to be addressed.
Required Changes
1. Tool Annotations Missing
Issue: All 14 tools are missing required MCP tool annotations.
Why this matters: Tool annotations indicate whether tools are read-only or destructive. This helps Claude understand which tools are safe to call without user confirmation.
Affected tools: tests, list_test_entities, controls, list_control_tests, list_control_documents, documents, document_resources, integrations, integration_resources, frameworks, list_framework_controls, people, risks, vulnerabilities
Reference: https://modelcontextprotocol.io/specification/2025-06-18/schema#toolannotations
2. Privacy Policy Reference Missing
Issue: Server collects sensitive enterprise compliance data but does not reference a privacy policy in the documentation.
Data accessed: Security test results, control implementation details, vulnerability information (CVEs, severity, affected assets), personnel data (names, emails, roles), integration metadata, framework compliance metrics, and risk scenarios.
Requirement: Add a privacy policy section to your documentation explaining data access, OAuth token handling, data retention policies, and user data rights.
3. Manifest Configuration Mismatch
Issue: Mismatch between manifest.json and server code will cause runtime failure.
Details:
- Manifest.json specifies:
VANTA_CLIENT_IDandVANTA_CLIENT_SECRETenvironment variables - Server code requires:
VANTA_ENV_FILEenvironment variable (see src/auth.ts:32-34)
Impact: Users following the manifest configuration will encounter runtime error: "VANTA_ENV_FILE environment variable is required"
Requirement: The manifest configuration must match the authentication mechanism implemented in the server code.
Reference: https://github.com/anthropics/mcpb/blob/main/MANIFEST.md
4. Insufficient Usage Examples
Issue: README provides only 1 working example (minimum 3 required).
Requirement: Provide at least 3 working examples demonstrating different aspects of the server's capabilities.
Recommended Improvements
5. Repository Source Files
Observation: manifest.json and vanta_security_logo.png exist in the .mcpb bundle but not in the source repository, making bundle reproduction difficult.
Suggestion: Consider adding these files to the repository root.
Once these issues are addressed, please resubmit your MCP server and we will be happy to review your MCP server again.
— Bryan Thompson
MCP Review Team, Anthropic
bthompson@anthropic.com