Scan your MCP stack

What MCP servers are wired into a repo or config — and what public signal exists for each one? Point at a public GitHub repo or paste a config. We resolve every server to its canonical identity and report what we observe. We never name a verdict, store your input, or read env values.

Your .mcp.json, claude_desktop_config.json, .cursor/mcp.json, etc. It is parsed in-request for server identity only — nothing is stored, and env values are never read.

Findings are observations, not endorsements — we say observed, unclaimed, no SECURITY.md observed, never safe or verified. Methodology.