DEV Community

Nono “no”
Nono “no”

Posted on

Your AI agent can probably delete your database. I built a 60-second way to check (open source)

MCP is becoming the USB-C of AI agents — one standard to plug an agent into GitHub, Slack, Postgres, Stripe, your internal tools. Great. But here's what almost nobody checks before flipping the switch:

What is this agent actually allowed to do?

The official MCP roadmap now lists audit trails, auth hardening, and gateway patterns as open enterprise gaps. The community already says "read the code before you connect a server to a host with your credentials." But who actually does that, line by line, across a dozen tools?

So I built MCPGuard — a small open-source CLI that reads an agent's tool config and tells you, in plain terms:

  • which tools it can call, grouped by what they actually do (read / write / delete / send / payment / admin)
  • a risk score per tool and overall
  • exposed secrets (API keys, tokens) — shown redacted
  • missing auth and implicitly-trusted tools
  • a recommended allow/ask/deny policy as ready-to-use YAML

It's a static analyzer: it reads a config, it doesn't run your agent or sit in its traffic. Nothing to break, nothing to trust with your data. Install and scan in 60 seconds:

pipx install git+https://github.com/sengchanhkano-prog/mcpguard.git

mcpguard scan my_config.json

Repo (MIT): https://github.com/sengchanhkano-prog/mcpguard

This is v1 and deliberately small. It scans configs / tool definitions today; live MCP connection (tools/list) is next on the roadmap, timed around the new spec.

I'd genuinely like feedback from people running agents in production:

  1. Is permission risk something you actually worry about, or a non-issue in practice?
  2. Would a live scan (connect to a running MCP server, pull its real tools, score them) be useful to you?
  3. What tool would you want detection rules for first?

Roast it, tell me it's pointless, or tell me what would make it useful. Both help.

Top comments (2)

Collapse
 
alexshev profile image
Alex Shev

The permission audit is the part that should happen before anyone celebrates a working MCP connection. A tool that connects successfully is not necessarily safe; the useful question is what the agent can do on a bad day.

Collapse
 
nono_no_b32de048c5e6022 profile image
Nono “no”

Happy to answer questions — especially curious whether live MCP scanning would actually be useful to people running agents in prod.