See your agent's blast radius.
Paste your mcp.json and see what your agent can actually do: which tools can take irreversible actions, which send data off your machine, and how many contracts are unpinned and free to change under you.
It runs entirely in your browser. Your config is read locally and never uploaded - which matters, because that file holds your tokens.
Drag your mcp.json here, or . It is read in your browser and never uploaded.
Where's my file?
paths vary by version; open the file and drag or paste it above
unpinned = not yet watched for drift. a fresh scan pins nothing, so this equals your tool count until the gate is installed - it is a state, not a finding.
10 unpinned contracts.This is Monday's picture. Any of these tools can change what it declares between runs, with nothing in your repo to diff. mcpindex pins each contract and HOLDs the call when it drifts.
deterministic contract-diff, not a safety verdict · fails open · advisory
| tool | action | effect | reversibility | egress |
|---|---|---|---|---|
| read_file | read | read-only | reversible | · |
| list_directory | list | read-only | reversible | · |
| search_docs | search | read-only | reversible | · |
| postgres_query | search | writes locally | reversible | internal |
| write_file | write | writes locally | hard to reverse | internal |
| update_recordannotation says read-only; schema exposes write/delete parameters | update | writes locally | hard to reverse | internal |
| slack_send_message | send | sends outbound | hard to reverse | off-machine |
| delete_filedestructive with no obvious undo path | delete | destructive | irreversible | internal |
| stripe_create_chargedestructive with no obvious undo path | write | destructive | irreversible | internal |
| run_commanddestructive with no obvious undo path | execute | destructive | irreversible | internal |
counts only - no tool names or schemas are in the link
- Deterministic, not a verdict.Every label is a fact read off the declared contract (schema, name, annotations) - action type, side effect, reversibility, egress. It never says a tool is “safe” or “unsafe.”
- It's Monday's snapshot.A scan shows what your tools declare right now. It does not run them, and it can't catch a live server that changes what it does after you look. Watching for that change over time is what the gate does.
- Nothing leaves your browser. No upload, no account, no logging of your config. The share card carries counts only - never tool names or schemas. See privacy.
- Local servers stay coarse.A browser can't reach a local (stdio) server, so those show a server-level read; paste a
tools/listdump for the full per-tool blast radius.
Looking to check a single tool's description for hidden instructions instead? Screen a tool →