MCPConfigCheck scans MCP server configs for supply chain risks
MCPConfigCheck is a free, client-side browser tool that analyzes `mcp.json` or `claude_desktop_config.json` files for known supply chain incidents, unpinned versions, hardcoded secrets, and other security risks.
Score breakdown
MCP server configs for widely used tools like Claude Desktop, Cursor, and VS Code have become an active supply chain attack surface — as demonstrated by the MCPoison and ContextCrush incidents — and MCPConfigCheck provides the first dedicated, zero-install scanner for these files.
- 01MCPConfigCheck is a client-side browser tool — no install, no signup, no network requests
- 02Checks configs against a catalog of disclosed MCP supply chain incidents, including MCPoison and ContextCrush
- 03Flags unpinned versions such as `@latest` that can silently resolve to a compromised release
Dev Encyclopedia has released MCPConfigCheck, a free browser tool targeting a largely unaddressed security gap: MCP server configuration files used by Claude Desktop, Claude Code, Cursor, and VS Code. The tool accepts a pasted `mcp.json` or `claude_desktop_config.json` and performs several checks locally in the browser, including cross-referencing servers against a maintained catalog of disclosed MCP supply chain incidents such as MCPoison and ContextCrush.
Users who discover incidents not yet in the catalog can report them via a contact link on the site for inclusion in future updates.
The tool flags six categories of risk: known incident matches, unpinned versions (such as `@latest` or no version pin), overly broad filesystem access (root `/` or home directory `~` paths that could expose SSH keys and `.env` files), unverified npm scopes vulnerable to typosquatting, hardcoded API keys or tokens, and unexpected command runners outside the standard set of `npx`, `node`, `python`, `uvx`, and `docker`. Each server in the config receives a Critical, Warning, or Clean rating with a plain-English explanation and a recommended fix.
Privacy is a stated design priority: the JSON is parsed entirely in the browser, the threat catalog is a static bundled dataset, no network requests are made, and any secrets present in environment variables are masked in the output. The tool requires no installation or account creation. Users who discover incidents not yet in the catalog can report them via a contact link on the site for inclusion in future updates.
Key facts
- 01MCPConfigCheck is a client-side browser tool — no install, no signup, no network requests
- 02Checks configs against a catalog of disclosed MCP supply chain incidents, including MCPoison and ContextCrush
- 03Flags unpinned versions such as `@latest` that can silently resolve to a compromised release
- 04Detects overly broad filesystem access (root `/` or home `~`) that can expose SSH keys and `.env` files
- 05Also checks for unverified npm scopes, hardcoded secrets, and unexpected command runners
- 06Each server entry is rated Critical, Warning, or Clean with a plain-English fix
- 07Secrets in env vars are masked in the output; nothing leaves the browser
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 20, 2026 · 08:55 UTC. How this works →