Scan

See your agent's blast radius.

Paste your mcp.json and see what your agent can actually do: which tools can take irreversible actions, which send data off your machine, and how many contracts are unpinned and free to change under you.

It runs entirely in your browser. Your config is read locally and never uploaded - which matters, because that file holds your tokens.

/scan

Drag your mcp.json here, or . It is read in your browser and never uploaded.

try
Where's my file?
~/Library/Application Support/Claude/claude_desktop_config.json

paths vary by version; open the file and drag or paste it above

sample data - drag your own config to scan it
10
tools your agent can call
3
can't be undone
1
send data off-machine
10
unpinned contracts

unpinned = not yet watched for drift. a fresh scan pins nothing, so this equals your tool count until the gate is installed - it is a state, not a finding.

10 unpinned contracts.This is Monday's picture. Any of these tools can change what it declares between runs, with nothing in your repo to diff. mcpindex pins each contract and HOLDs the call when it drifts.

see a HOLD →

deterministic contract-diff, not a safety verdict · fails open · advisory

toolactioneffectreversibilityegress
read_filereadread-onlyreversible·
list_directorylistread-onlyreversible·
search_docssearchread-onlyreversible·
postgres_querysearchwrites locallyreversibleinternal
write_filewritewrites locallyhard to reverseinternal
update_recordannotation says read-only; schema exposes write/delete parametersupdatewrites locallyhard to reverseinternal
slack_send_messagesendsends outboundhard to reverseoff-machine
delete_filedestructive with no obvious undo pathdeletedestructiveirreversibleinternal
stripe_create_chargedestructive with no obvious undo pathwritedestructiveirreversibleinternal
run_commanddestructive with no obvious undo pathexecutedestructiveirreversibleinternal
share these numbers
mcpindex scan: 10 tools, 3 irreversible, 1 off-machine, 10 unpinned

counts only - no tool names or schemas are in the link

What this is - and isn't
  • Deterministic, not a verdict.Every label is a fact read off the declared contract (schema, name, annotations) - action type, side effect, reversibility, egress. It never says a tool is “safe” or “unsafe.”
  • It's Monday's snapshot.A scan shows what your tools declare right now. It does not run them, and it can't catch a live server that changes what it does after you look. Watching for that change over time is what the gate does.
  • Nothing leaves your browser. No upload, no account, no logging of your config. The share card carries counts only - never tool names or schemas. See privacy.
  • Local servers stay coarse.A browser can't reach a local (stdio) server, so those show a server-level read; paste a tools/list dump for the full per-tool blast radius.

Looking to check a single tool's description for hidden instructions instead? Screen a tool →