Vet an MCP server before you install it
A clear read on any MCP server before you wire it: what your agent could do with it, whether its description hides anything, and where it sits in the directory.
A directory listing tells you a server exists. It does not tell you what that server could do inside your agent, or whether its tool descriptions carry instructions you did not intend to run. These three checks take a couple of minutes and run before anything touches your machine.
- 01
Map the blast radius of your config#
Paste your mcp.json (or a tools list) and see, per tool, the action type, side effect, reversibility, and whether it egresses off-machine. This runs entirely in your browser; your config is parsed locally and never uploaded.
/scanruns in your browser · nothing uploadedDrag your
mcp.jsonhere, or . It is read in your browser and never uploaded.tryWhere's my file?
~/Library/Application Support/Claude/claude_desktop_config.jsonpaths vary by version; open the file and drag or paste it above
sample data - drag your own config to scan it10tools your agent can call3can't be undone1send data off-machine10unpinned contractsunpinned = not yet watched for drift. a fresh scan pins nothing, so this equals your tool count until the gate is installed - it is a state, not a finding.
10 unpinned contracts.This is Monday's picture. Any of these tools can change what it declares between runs, with nothing in your repo to diff. mcpindex pins each contract and HOLDs the call when it drifts.
deterministic contract-diff, not a safety verdict · fails open · advisory
tool action effect reversibility egress read_file read read-only reversible · list_directory list read-only reversible · search_docs search read-only reversible · postgres_query search writes locally reversible internal write_file write writes locally hard to reverse internal update_recordannotation says read-only; schema exposes write/delete parameters update writes locally hard to reverse internal slack_send_message send sends outbound hard to reverse off-machine delete_filedestructive with no obvious undo path delete destructive irreversible internal stripe_create_chargedestructive with no obvious undo path write destructive irreversible internal run_commanddestructive with no obvious undo path execute destructive irreversible internal share these numberscounts only - no tool names or schemas are in the link
- 02
Screen a tool's description#
A tool description is text your agent reads like a system prompt. The screen is an advisory, semantic-only read that flags hidden instructions or exfiltration wording and highlights the exact line. It is a judgment, not a safety verdict.
Screen a tool description — the exact line it flags, and the REVIEW or UNVERIFIED label. The screen is advisory (semantic-only); it does not clear a tool as safe.
- 03
Read the directory trust panel#
The directory carries a quality score and a trust verdict for each listed server. Both are advisory and fail-closed: an absent verdict shows as UNVERIFIED rather than a pass.
HOLDgate, in-paththe live contract differs from what you pinned; the call is paused before your agent acts.
PROCEEDgate, in-pathno breaking difference (a benign added-optional field can pass); the call goes through.
REVIEWdirectory screenan advisory, semantic-only read flagged something to look at before you wire the tool.
UNVERIFIEDdirectory screenno verdict on file yet; the directory is not asserting anything about it.
- 04
Compare across the directory#
The maturity rankings put quality and the verdict side by side across servers, so you can see where a candidate sits rather than reading it in isolation.
Open the maturity rankings — the quality score column next to the verdict column. Higher quality is not a safety guarantee; it is how complete and consistent the listing is.
- 05
Add the directory client to your host (optional)#
If you want search and screening from inside your agent, add the advisory directory server. Pick your host and it shows only your command or config. This is the directory client, not the in-path gate.
Your hostPaste and run, then restart the host.
claude mcp add --scope user mcpindex -- npx -y mcp-server-mcpindex@latestThis adds the advisory directory server (a normal MCP server for search and screening). It is not the in-path gate.
- Does screening an MCP server tell me it is safe?
- No. The screen is advisory and semantic-only: it reads the tool description for hidden instructions or exfiltration wording and returns REVIEW or UNVERIFIED. It never returns a safe/cleared verdict, because a description read cannot prove runtime behavior.
- Is my mcp.json uploaded when I scan it?
- No. The scan parses and grades your config entirely in the browser using a vendored classifier. Nothing is sent to a server.