MCP is becoming the USB-C of AI agents — one standard to plug an agent into GitHub, Slack, Postgres, Stripe, your internal tools. Great. But here's what almost nobody checks before flipping the switch:
What is this agent actually allowed to do?
The official MCP roadmap now lists audit trails, auth hardening, and gateway patterns as open enterprise gaps. The community already says "read the code before you connect a server to a host with your credentials." But who actually does that, line by line, across a dozen tools?
So I built MCPGuard — a small open-source CLI that reads an agent's tool config and tells you, in plain terms:
- which tools it can call, grouped by what they actually do (read / write / delete / send / payment / admin)
- a risk score per tool and overall
- exposed secrets (API keys, tokens) — shown redacted
- missing auth and implicitly-trusted tools
- a recommended allow/ask/deny policy as ready-to-use YAML
It's a static analyzer: it reads a config, it doesn't run your agent or sit in its traffic. Nothing to break, nothing to trust with your data. Install and scan in 60 seconds:
pipx install git+https://github.com/sengchanhkano-prog/mcpguard.git
mcpguard scan my_config.json
Repo (MIT): https://github.com/sengchanhkano-prog/mcpguard
This is v1 and deliberately small. It scans configs / tool definitions today; live MCP connection (tools/list) is next on the roadmap, timed around the new spec.
I'd genuinely like feedback from people running agents in production:
- Is permission risk something you actually worry about, or a non-issue in practice?
- Would a live scan (connect to a running MCP server, pull its real tools, score them) be useful to you?
- What tool would you want detection rules for first?
Roast it, tell me it's pointless, or tell me what would make it useful. Both help.
Top comments (2)
The permission audit is the part that should happen before anyone celebrates a working MCP connection. A tool that connects successfully is not necessarily safe; the useful question is what the agent can do on a bad day.
Happy to answer questions — especially curious whether live MCP scanning would actually be useful to people running agents in prod.