MCP Server✓ Certified

mcp-server-memory

Provides persistent knowledge graph storage for entities and relationships, enabling AI assistants to remember information about users across conversation sessions.

/ 100 · Grade B

B = 80–89

“I need to maintain persistent memory of entities, relationships, and observations across multiple conversation sessions so my AI assistant can remember important context about me and my interactions.”

memoryknowledge managementdata storagecontext preservationgraph database

Publisher: Model Context Protocol a Series of LF Projects, LLC.Version: 0.6.3Certified: Mar 29, 2026Expires: Mar 29, 2027Source ↗

mcp-server-memory earned Certified status with a trust score of 89/100 (Grade B). No adversarial findings — all attack patterns were handled gracefully. Supply chain contains 266 components with 17 known vulnerabilities. Security scan: clean.

Trust Score Breakdown

Eight weighted signals composing the aggregate trust score

security scan

100% × 15w

15.0

supply chain

0% × 10w

0.0

adversarial

100% × 25w

25.0

provenance

100% × 20w

20.0

consumer confirm

98% × 10w

9.8

behavioral pass

98% × 10w

9.8

contract accuracy

97% × 6w

5.8

uptime

100% × 4w

4.0

Scheme v2.0 · Weights provisional · Consumer confirmations and uptime use pipeline-derived baselines.

Findings

Security scan results, adversarial testing, and pipeline review

Security Scan — Cisco MCP Scanner

cisco-mcp-scannerSAFE

yarallmreadiness

critical: 0high: 0medium: 0low: 0

Live scan: completed · 0 findings · 10603ms

Code scan: completed · 0 findings · 4584ms

Adversarial Testing — 4 categories, 0 findings

prompt injection chainsdata exfiltration side channelscapability squattingcontext poisoning

No adversarial findings — all attack patterns handled gracefully.

Methodology v1.0 · 4 categories · ~55 attack patterns

OWASP MCP Top 10 Coverage

Evaluation activity mapped to the OWASP MCP Top 10 risk framework

MCP01✓ covered

Excessive Agency & Permissions

Cisco scanner behavioral analysis of permission scope

MCP02✓ covered

Unauthorized Data Access

Category 3 (data exfiltration) attack patterns

MCP03✓ covered

Tool Poisoning

Category 1 (prompt injection) and Category 5 (context poisoning) attack patterns

MCP04✓ covered

Supply Chain Vulnerabilities

SBOM generation (syft/cdxgen) and vulnerability scanning (grype/osv-scanner/npm audit)

MCP05✓ covered

Command Injection

Category 2 (privilege escalation) and Category 6 (repo config injection) attack patterns

MCP06✓ covered

Intent Subversion

Category 1 (prompt injection) and Category 4 (capability squatting) attack patterns

MCP07✓ covered

Insecure Data Handling

Cisco scanner data flow and sensitive data handling analysis

MCP08— gap

Insufficient Logging

Not directly tested — logging adequacy requires runtime observation beyond current pipeline scope

MCP09✓ covered

Resource Exhaustion

Resource profiling (CPU, memory) during functional and adversarial testing

MCP10✓ covered

Context Injection

Category 5 (context poisoning) attack patterns

OWASP MCP Top 10 (Beta) — owasp.org/www-project-mcp-top-10

Supply Chain

SBOM analysis and vulnerability assessment

Components

266

Direct deps

Transitive deps

265

Total vulns

Vulnerability breakdown

critical: 0high: 8medium: 0low: 9

Format: CycloneDX 1.5 · Generated: Mar 29, 2026

Behavioral Fingerprint

Runtime performance baseline for drift detection

Samples

136

Error rate

0.0%

Peak memory

70.4 MB

Avg CPU

0.08%

Response time distribution

p50: 2msp95: 4msp99: 8ms

Output size distribution

p50: 73 Bp95: 1.3 KBmean: 274 B

Per-tool performance

Tool	p50	p95	Error rate	Samples
open_nodes	2ms	4ms	0.0%	12
read_graph	2ms	3ms	0.0%	6
search_nodes	1ms	3ms	0.0%	42
create_entities	2ms	8ms	0.0%	14
delete_entities	2ms	3ms	0.0%	13
add_observations	1ms	3ms	0.0%	12
create_relations	2ms	10ms	0.0%	13
delete_relations	2ms	3ms	0.0%	12
delete_observations	2ms	3ms	0.0%	12

Fingerprint v1.0 · Baseline: Mar 29, 2026 · Status: baseline

Interface

Enumerated tools, resources, and prompts

Tools (9)

create_entities

Create multiple new entities in the knowledge graph

create_relations

Create multiple new relations between entities in the knowledge graph. Relations should be in active voice

add_observations

Add new observations to existing entities in the knowledge graph

delete_entities

Delete multiple entities and their associated relations from the knowledge graph

delete_observations

Delete specific observations from entities in the knowledge graph

delete_relations

Delete multiple relations from the knowledge graph

read_graph

Read the entire knowledge graph

search_nodes

Search for nodes in the knowledge graph based on a query

open_nodes

Open specific nodes in the knowledge graph by their names

Transport: stdio

Scope & Permissions

What this capability can and cannot access — derived from pipeline analysis

⚠creates files

yes

⚠deletes files

yes

⚠modifies files

yes

⚠accesses env variables

yes

✓invokes external tools

✓makes network requests

Side effects

May modify files on disk

May create new files or directories

May delete files or directories

Accesses environment variables

Behavioral Guarantees

Claims extracted from publisher documentation — each tagged with provenance

Implements persistent memory using a local knowledge graph

author

Lets Claude remember information about the user across chats

author

Creates entities with unique names, entity types, and observations

author

Creates directed relations between entities stored in active voice

author

Stores observations as strings attached to specific entities

author

Ignores entities with existing names when creating new entities

author

Skips duplicate relations when creating new relations

author

Returns added observations per entity when adding observations

author

Performs cascading deletion of associated relations when deleting entities

author

Operates silently if entity doesn't exist when deleting entities

author

Operates silently if observation doesn't exist when deleting observations

author

Operates silently if relation doesn't exist when deleting relations

author

Returns complete graph structure with all entities and relations when reading graph

author

Searches across entity names, entity types, and observation content

author

Returns matching entities and their relations when searching nodes

author

Returns requested entities and relations between requested entities when opening nodes

author

Silently skips non-existent nodes when opening nodes

author

Stores data in JSONL file format

author

Known failure modes

Fails if entity doesn't exist when adding observations

Prior mcp/memory volume contains an index.js file that could be overwritten by the new container

Old docker volume's index.js file should be deleted before starting the new container

Sources: author, protocol

Badge & Integration

Embed certification status in your README, docs, or CI pipeline

badge SVG →attestation API →integration guide →

Certification Notes

Provenance observations from the pipeline

publisher

Publisher "Model Context Protocol a Series of LF Projects, LLC." is not verified — first certification from this publisher

provenance

Single contributor — no peer review evidence in commit history

provenance

Repository is 11 days old — recently created

Signed Artifact

Certification provenance and verification metadata

Content hashsha256:012b2d84f04590ff685fa6d67bc18351f7fb618b027e0cb1eb9d7fe86c764dd9

Key IDkms-9db4ed3b9f53

CertifiedMar 29, 2026

ExpiresMar 29, 2027

Pipeline version1.0

Statusvalid

download .cert.json →download annotated file →

Pipeline Artifacts

Raw data files from this certification run — downloadable for independent verification

contract.json

Full unsigned contract

↓

stage1-ingest.json

Ingest stage output

↓

stage2a-sbom.json

SBOM generation results

↓

stage2a-vulns.json

Vulnerability scan results

↓

stage2b-security.json

Security scan results

↓

stage3a-functional.json

Functional test results

↓

stage3b-adversarial.json

Adversarial test results

↓

stage3c-fingerprint.json

Behavioral fingerprint

↓

stage4-certify.json

Certification decision + trust score

↓

stage3a-measurements.json

Raw functional test measurements

↓

stage3b-measurements.json

Raw adversarial test measurements

↓

run-log.json

Pipeline execution log

↓

Not all files may be present for every certification.