Transport shape
Checks local command and remote URL declarations plus structured argument arrays.
Configuration and security
Validate MCP server JSON for transports, HTTPS endpoints, command arguments, plaintext secrets, shell wrappers and stable server identity.
Analysis runs in this browser. No public result URL is generated, and exported reports omit the analyzed source.
Coverage
Checks local command and remote URL declarations plus structured argument arrays.
Finds likely secret values that should be replaced by environment or secret-store references.
Highlights shell wrappers that increase interpolation and command-injection risk.
Checks for stable server names and recommends descriptions and versions for reviewable manifests.
FAQ
No. It validates the supplied JSON locally. It does not launch commands, make network requests or enumerate tools.
The validator recognizes a common mcpServers map and a single server-shaped JSON object. Vendor-specific fields remain visible but may need separate validation.
Commands run through sh, bash, cmd or PowerShell have a wider parsing surface. A direct executable plus an argument array is usually easier to review and constrain.
No. Runtime tools, authorization, consent, rate limits, prompt-injection handling and data returned by the server must be tested separately.