Add mcpindex to your agent.
The gate is the product. It sits in the path of every MCP tool call and runs a deterministic contract-diff, so a server that changed since you approved it can't change your agent silently. Start there. If you just want to look first, there is a zero-install path too.
The one-liner installs the gate and wires your MCP hosts to route tool calls through it. Prefer to install the binary yourself? Use uv or pip below.
Installs the gate and wires your MCP hosts to route tool calls through it. Restarts the host after wiring.
curl -fsSL https://mcpindex.ai/install.sh | shRather read it first? curl -fsSL https://mcpindex.ai/install.sh | less pipes the script to your pager. uninstall.sh restores the original config.
Install the binary yourself, then run the wiring wizard. No pipe-to-shell.
uv tool install mcpindex-gateSame binary from PyPI if you would rather not add uv.
pip install mcpindex-gatenpm i @mcp-index/sdk
// then, in your server:
import { wrap, PreflightPin } from "@mcp-index/sdk";
const guarded = wrap(session, { pin: new PreflightPin(), serverId: "your-server" });Python and per-client wiring detail: the gate docs.
What the gate does: it diffs each tool's contract against the version you last saw and flags the change. It reports changes; it does not vouch that a server is safe, and it never asks for a credential.
Not ready to wire the gate in? Scan your mcp.json to see the blast radius in your browser (nothing is uploaded), or add the advisory directory server to your agent below.
Add the directory server to your agent
Find MCP servers by task and get advisory screens (check_tool_trust, assess_server) inside your agent. This is the advisory directory client, not the gate.
One click adds the advisory directory server to that host. Every other host: pick it below.
Paste and run, then restart the client.
claude mcp add --scope user mcpindex -- npx -y mcp-server-mcpindex@latest| Surface | Method | Command |
|---|---|---|
| Gate (in-path) | Install script | curl -fsSL https://mcpindex.ai/install.sh | sh |
| Gate (in-path) | uv | uv tool install mcpindex-gate |
| Gate (in-path) | pip | pip install mcpindex-gate |
| Gate (in-path) | SDK (TypeScript) | npm i @mcp-index/sdk |
| Directory (advisory) | npx | npx -y mcp-server-mcpindex@latest |
| Directory (advisory) | Claude Code | claude mcp add --scope user mcpindex -- npx -y mcp-server-mcpindex@latest |
| Directory (advisory) | Gemini CLI | gemini mcp add -s user mcpindex npx -y mcp-server-mcpindex@latest |
| Directory (advisory) | MCP Registry | io.github.gautamgb/mcp-server-mcpindex |
| Directory (advisory) | Docker | docker mcp gateway run # image mcp/mcpindexImage build/sign under review (docker/mcp-registry#4441). |
| Web (no install) | Scan your config | https://mcpindex.ai/scan |
| Web (no install) | Screen a server | https://mcpindex.ai/screen |
Also listed on the Official MCP Registry as io.github.gautamgb/mcp-server-mcpindex, and on Glama.
- The gate is in-path and deterministic.
- It diffs contracts and flags changes on the call. It is not a safety verdict, an antivirus, or a guarantee that a server is trustworthy.
- The directory server is advisory.
- Its screens run
calibrated=falseand it never sits in your call path. Treat its verdicts as a second opinion, not a gate. - Zero credentials.
- Nothing here asks for an API key or a token. The gate runs locally; the scanner runs in your browser.