Vet an MCP server before you install it

What you'll have · ~3 min

A clear read on any MCP server before you wire it: what your agent could do with it, whether its description hides anything, and where it sits in the directory.

A directory listing tells you a server exists. It does not tell you what that server could do inside your agent, or whether its tool descriptions carry instructions you did not intend to run. These three checks take a couple of minutes and run before anything touches your machine.

  1. 01

    Map the blast radius of your config#

    Paste your mcp.json (or a tools list) and see, per tool, the action type, side effect, reversibility, and whether it egresses off-machine. This runs entirely in your browser; your config is parsed locally and never uploaded.

    /scan

    Drag your mcp.json here, or . It is read in your browser and never uploaded.

    try
    Where's my file?
    ~/Library/Application Support/Claude/claude_desktop_config.json

    paths vary by version; open the file and drag or paste it above

    sample data - drag your own config to scan it
    10
    tools your agent can call
    3
    can't be undone
    1
    send data off-machine
    10
    unpinned contracts

    unpinned = not yet watched for drift. a fresh scan pins nothing, so this equals your tool count until the gate is installed - it is a state, not a finding.

    10 unpinned contracts.This is Monday's picture. Any of these tools can change what it declares between runs, with nothing in your repo to diff. mcpindex pins each contract and HOLDs the call when it drifts.

    see a HOLD →

    deterministic contract-diff, not a safety verdict · fails open · advisory

    toolactioneffectreversibilityegress
    read_filereadread-onlyreversible·
    list_directorylistread-onlyreversible·
    search_docssearchread-onlyreversible·
    postgres_querysearchwrites locallyreversibleinternal
    write_filewritewrites locallyhard to reverseinternal
    update_recordannotation says read-only; schema exposes write/delete parametersupdatewrites locallyhard to reverseinternal
    slack_send_messagesendsends outboundhard to reverseoff-machine
    delete_filedestructive with no obvious undo pathdeletedestructiveirreversibleinternal
    stripe_create_chargedestructive with no obvious undo pathwritedestructiveirreversibleinternal
    run_commanddestructive with no obvious undo pathexecutedestructiveirreversibleinternal
    share these numbers
    mcpindex scan: 10 tools, 3 irreversible, 1 off-machine, 10 unpinned

    counts only - no tool names or schemas are in the link

  2. 02

    Screen a tool's description#

    A tool description is text your agent reads like a system prompt. The screen is an advisory, semantic-only read that flags hidden instructions or exfiltration wording and highlights the exact line. It is a judgment, not a safety verdict.

    Screen a tool descriptionthe exact line it flags, and the REVIEW or UNVERIFIED label. The screen is advisory (semantic-only); it does not clear a tool as safe.

  3. 03

    Read the directory trust panel#

    The directory carries a quality score and a trust verdict for each listed server. Both are advisory and fail-closed: an absent verdict shows as UNVERIFIED rather than a pass.

    HOLDgate, in-path

    the live contract differs from what you pinned; the call is paused before your agent acts.

    PROCEEDgate, in-path

    no breaking difference (a benign added-optional field can pass); the call goes through.

    REVIEWdirectory screen

    an advisory, semantic-only read flagged something to look at before you wire the tool.

    UNVERIFIEDdirectory screen

    no verdict on file yet; the directory is not asserting anything about it.

  4. 04

    Compare across the directory#

    The maturity rankings put quality and the verdict side by side across servers, so you can see where a candidate sits rather than reading it in isolation.

    Open the maturity rankingsthe quality score column next to the verdict column. Higher quality is not a safety guarantee; it is how complete and consistent the listing is.

  5. 05

    Add the directory client to your host (optional)#

    If you want search and screening from inside your agent, add the advisory directory server. Pick your host and it shows only your command or config. This is the directory client, not the in-path gate.

    Your host

    Paste and run, then restart the host.

    claude mcp add --scope user mcpindex -- npx -y mcp-server-mcpindex@latest

    This adds the advisory directory server (a normal MCP server for search and screening). It is not the in-path gate.

NextInstall the gate and watch your first HOLD
Questions
Does screening an MCP server tell me it is safe?
No. The screen is advisory and semantic-only: it reads the tool description for hidden instructions or exfiltration wording and returns REVIEW or UNVERIFIED. It never returns a safe/cleared verdict, because a description read cannot prove runtime behavior.
Is my mcp.json uploaded when I scan it?
No. The scan parses and grades your config entirely in the browser using a vendored classifier. Nothing is sent to a server.