MCP tools/list Health Report

A focused pre-launch check for MCP servers whose tool metadata looks valid but fails once an LLM starts generating arguments. It catches empty schemas, schema-injection strings, missing review metadata, and `$defs` / `$ref` shapes that some clients do not dereference.

Run free browser check Read sample report Buy $25 MCP report Check review scope
AI Agent Launch Pack preview

The concrete failure this catches

Several MCP client paths can receive a valid server-side JSON Schema and still hand the model an incomplete or degraded tool contract.

Common symptom

A structured object parameter is described through `$defs` / `$ref`, but the model sees an opaque field and sends a JSON string. Runtime validation then rejects the call as the wrong type.

inputSchema.properties.parent.$ref code: input_schema_local_ref gate: ask before first invocation

What the report flags

Schema drift

Missing `inputSchema`, empty schemas, object schemas without properties, missing `required` arrays, and undocumented parameters.

`$ref` risk

Local and external JSON Schema refs that may need inlining before the schema reaches an LLM tool adapter.

Approval evidence

Allow / ask / deny defaults, policy keys, metadata digests, changed-tool review, and a Codex config review snippet.

Run it without sending data anywhere

The browser importer runs client-side. The CLI reads a redacted `tools/list` JSON file and never invokes MCP tools.

CLI check
npx --yes --package github:kayalopez/ai-agent-launch-tools#v0.1.18 mcp-permission-matrix --file tools-list.json --json

Use redacted metadata only. Do not include secrets, customer records, cookies, private screenshots, payment details, OAuth tokens, or full transaction identifiers.

When to buy the report

The free check is enough for quick triage. The paid report is for turning one redacted `tools/list` schema into a concise compatibility handoff with findings, client-risk notes, and regression checks.

Buy ifYou have one redacted MCP `tools/list` result and need a 24-hour compatibility report before approving or exposing the tools.
Do not buy ifYou need legal advice, compliance certification, penetration testing, incident response, deep source-code review, or multiple workflows.
Scope ruleOne workflow or one tools/list schema, no secrets, no real customer records, and no private payment or account data in the intake.
Buy $25 MCP report Read sample report Check scope fit

Launch boundary

  • This is a planning and review aid, not a guarantee that a server or agent is safe.
  • New or changed tools should re-enter review when their metadata digest changes.
  • Mutating, financial, credential, identity, messaging, deployment, and destructive tools should stay in ask or deny until explicit launch evidence exists.