MCP Config Risk Reviewer

Paste a redacted Claude Desktop-style MCP config and get a local BLOCK / CAUTION / REVIEW report before you install or approve a server. The review runs in this page only.

What this catches

1
Startup riskShell wrappers, package runners, auto-confirm installs, and unpinned sources.
2
Scope riskBroad filesystem paths, remote URLs, and sensitive env key requirements.
3
Review handoffA shareable report shape that keeps real credentials and private endpoints out.

Paste redacted config JSON

Open CLI release

Redact first. Do not paste live credentials, OAuth codes, cookies, private endpoints, customer records, payment data, private handles, full names, private dashboard screenshots, or transaction identifiers.

Local report

Click Review config to generate a report. This page does not use network requests, browser storage, or a backend.

How to use the result

BLOCK means do not run the server until the startup command, URL, or sensitive value problem is fixed.
CAUTION means review package source, version pinning, filesystem paths, or sensitive env key scope before first use.
REVIEW still requires a `tools/list` metadata review after the server is connected.
For changed tool metadata, use the tools/list importer so added or changed tools re-enter review.