Paste a Model Context Protocol server manifest or tool definition JSON to get a static, graded security report. It flags tool poisoning instructions hidden in descriptions, shell and command execution tools, over broad scopes, missing human in the loop on destructive actions, secrets left in the manifest, and untyped input schemas.
The Model Context Protocol, or MCP, lets an AI agent connect to external tools and data through servers. A server publishes a manifest that lists the tools it offers, each with a name, a natural language description, and an input schema, and the agent reads that manifest as trusted context when it decides what to call. That trust is the whole point of the protocol, and it is also where the risk lives. This tool parses a manifest you paste and lints the parts that shape how much an agent can do and how easily it can be steered. It is static analysis only and never connects to an MCP endpoint.
Because an agent reads a tool description as part of its instructions, a description can carry text aimed at the model instead of the human. Phrases like always do this first, ignore previous guidance, before using any other tool, or do not tell the user are imperative and out of place in what should be a neutral summary of what a tool does. This is prompt injection delivered through metadata, often called tool poisoning. The auditor flags instruction like language in descriptions and schema fields so a reviewer can read them closely. This maps to LLM01 Prompt Injection in the OWASP Top 10 for Large Language Model Applications.
A tool whose name or schema points at running commands, with words like exec, run, shell, command, eval, or subprocess, and that accepts a free form string argument, is a classic command injection surface. When an agent can be talked into passing attacker shaped input, a free form command string turns a helpful tool into remote code execution. The auditor surfaces these tools so you can confirm the server constrains what can actually run.
Wildcard permissions, filesystem root access, unrestricted network or fetch capability, and tools that can reach an arbitrary URL all grant an agent more reach than a single task needs. A tool that fetches any URL can be steered into a request to an internal address, the confused deputy and server side request forgery pattern seen through an agent. Broad capability is the core of LLM06 Excessive Agency: the more an agent can do, the more a single bad instruction can accomplish.
Tools that delete, write, send, transfer, pay, or email cause real side effects that cannot be undone by reading again. When a manifest offers such a tool with no sign of a confirmation or approval step, a single misjudged call by the agent does damage with no human in the loop. The auditor points these out so you can confirm the server or the host asks a person before the irreversible step.
The auditor also scans the manifest for embedded secrets like tokens, keys, and passwords that should never ship in a tool definition, for input schemas that accept arbitrary objects or unconstrained strings with no typing, and for tools whose described output looks like it returns credentials, environment variables, or full file contents. Each of these widens what an agent or an attacker can reach.
Each graded check contributes a weighted share of a score out of one hundred. A clean result earns its full weight, a partial concern earns part of it, and a clear problem earns none. The grade is a fast signal about the manifest as written, not a verdict on the server. This tool reads only the JSON you paste. It cannot see how a tool is implemented, what the server code does, or how the agent and the human interact at runtime, which is the kind of context an AI security testing approach reasons about rather than pattern matching one document. A clean report is a first pass, not a guarantee.