Is Your MCP Config Actually Safe?
MCP server configs are a real and growing supply chain attack surface. Paste your mcp.json or claude_desktop_config.json and check it against known incidents and common risk patterns, instantly, in your browser.
How MCPConfigCheck works
Paste your config
Copy the contents of your mcp.json, claude_desktop_config.json, or any MCP config file and paste it into the input area. The tool accepts any JSON with an mcpServers (or servers) object.
JSON is parsed locally
The config is parsed entirely in your browser using JavaScript. Each MCP server entry is extracted with its command, arguments, environment variables, and URL (if present).
Catalog cross-reference
Every server's package name is checked against a maintained catalog of known MCP supply chain incidents, including the ContextCrush, MCPoison, and malicious filesystem server compromises from 2025 and 2026.
Pattern analysis
Even without a catalog match, the tool flags common risk indicators: unpinned versions (@latest), overly broad filesystem access (root-level paths), unexpected command runners, unverified npm scopes, hardcoded secrets, and servers with no package specified.
Results with actionable guidance
Each server gets a severity rating (Critical, Warning, or Clean) with specific findings and a plain-English action for each issue. Critical findings include the exact config line to remove.
What the results mean
The server matches a known MCP supply chain incident in the threat catalog. This means the specific package (or version) has been publicly identified as compromised, malicious, or containing a vulnerability that enables credential exfiltration, code injection, or unauthorized access.
The server did not match a known incident, but exhibits patterns commonly associated with supply chain risk. These are not confirmed threats, but they increase your attack surface and warrant manual review.
The server did not match any known threats and passed all pattern checks. This does not guarantee safety (the catalog only covers publicly disclosed incidents), but no known issues were detected.
MCP config format reference
MCPConfigCheck accepts any JSON file with an mcpServers or servers key. Here are the common formats:
Claude Desktop / Claude Code (claude_desktop_config.json)
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem@0.6.2", "/Users/me/projects"],
"env": {}
},
"github": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
}
}
}
}Cursor (.cursor/mcp.json)
{
"mcpServers": {
"sqlite": {
"command": "uvx",
"args": ["mcp-server-sqlite", "--db-path", "./data.db"]
}
}
}SSE / Streamable HTTP transport
{
"mcpServers": {
"remote-tools": {
"url": "https://mcp.example.com/sse",
"env": {
"API_KEY": "${MCP_API_KEY}"
}
}
}
}When to use MCPConfigCheck
| Scenario | What to paste |
|---|---|
| Cloned a repo with a .cursor/mcp.json or .vscode/mcp.json | The entire contents of the MCP config file from the cloned repo |
| A teammate shared their Claude Desktop config for a new MCP server | The shared claude_desktop_config.json contents |
| Read about the MCPoison vulnerability and want to check your own config | Your claude_desktop_config.json or .cursor/mcp.json |
| Setting up a new MCP server from a tutorial or GitHub README | The config JSON from the tutorial, before adding it to your client |
| Auditing a team's shared MCP configs before a security review | Each config file individually to check them all |
| Quick sanity check before installing Bumblebee for a full audit | Your primary MCP config file for a fast first-pass |
Risk patterns MCPConfigCheck detects
- Unpinned versions (@latest or no version). Packages without a pinned version can resolve to a future compromised release. The MCPoison attack exploited exactly this: a benign config was approved once, then silently updated to a malicious version.
- Overly broad filesystem access. Granting root-level (/) or home directory (~) access lets any tool on the MCP server read SSH keys, .env files, credentials, and any other file on your system.
- Unexpected command runners. MCP servers should be launched by standard runners (npx, node, python, uvx, docker). An unfamiliar binary could be a disguised executable or a renamed script.
- Unverified npm scopes. Packages under verified scopes (@modelcontextprotocol/, @anthropic-ai/, etc.) have a known publisher. Packages without a verified scope are more vulnerable to typosquatting.
- Hardcoded secrets in env. API keys and tokens in your config file are exposed if the file is committed to a repository or shared. Use environment variable references (${API_KEY}) instead.
- Servers with no package argument. A command runner with no package specified relies on whatever binary is resolved by the system PATH, which could be manipulated.
Frequently Asked Questions
What is MCPConfigCheck and what does it check?
MCPConfigCheck is a browser-based tool that reads your MCP server configuration JSON and performs two types of checks: it cross-references every configured server against a catalog of known MCP supply chain incidents (like the ContextCrush and MCPoison attacks from early 2026), and it runs pattern-based analysis for common risk indicators such as unpinned versions, overly broad filesystem access, unverified publisher namespaces, and hardcoded secrets.
Everything runs entirely in your browser. No data is sent to any server, and the tool works offline once the page loads.
How is MCPConfigCheck different from Bumblebee?
| MCPConfigCheck | Bumblebee (Perplexity) | |
|---|---|---|
| Install required | No (browser tool) | Yes (Go binary) |
| Checks config files | Yes | Yes (as part of broader scan) |
| Checks live servers | No | Yes (full endpoint scan) |
| Checks extensions/plugins | No | Yes (VS Code, browser, etc.) |
| Best for | Quick single-file check | Full endpoint security audit |
MCPConfigCheck is a lightweight complement to Bumblebee, not a replacement. Use MCPConfigCheck for a quick 10-second sanity check of one config file. Use Bumblebee for a comprehensive security audit of your entire development environment.
Is my MCP config data sent anywhere?
No. MCPConfigCheck runs 100% client-side in your browser. The JSON you paste is parsed locally using JavaScript. The known-risk catalog is a static dataset bundled with the page. No network requests are made, and no data leaves your browser.
If your config contains API keys or tokens in environment variables, they are automatically masked in the output display.
What is an MCP server supply chain attack?
An MCP (Model Context Protocol) supply chain attack targets the configuration files that connect AI coding assistants (Claude Desktop, Cursor, VS Code with Copilot, Windsurf) to external tool servers. Because MCP servers have direct access to your AI agent's working memory and can invoke tools on your behalf, a compromised server can exfiltrate credentials, inject malicious instructions, or execute arbitrary commands without any visible indication.
Should I pin MCP server versions in my config?
Yes. Using @latest or not specifying a version means the package can resolve to a future compromised release without your knowledge. This is exactly how the MCPoison attack worked: a developer approved a benign config, and a later version of the same package contained malicious code.
// Bad: unpinned version
{
"command": "npx",
"args": ["-y", "some-mcp-server@latest"]
}
// Good: pinned to a specific version
{
"command": "npx",
"args": ["-y", "some-mcp-server@1.2.3"]
}After pinning, periodically check for updates manually and review changelogs before bumping the version.
How do I find my MCP config file?
| Client | Config file location |
|---|---|
| Claude Desktop | ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows) |
| Claude Code | ~/.claude.json or project .mcp.json |
| Cursor | .cursor/mcp.json in your project root |
| VS Code | .vscode/mcp.json or settings.json MCP section |
| Windsurf | .windsurf/mcp.json in your project root |
Open the file in a text editor, copy the entire contents, and paste it into MCPConfigCheck. The tool handles all common config formats automatically.
How often is the known-risk catalog updated?
The catalog is updated whenever a new MCP supply chain incident is publicly disclosed. The current last-updated date is always displayed in the scan results. If you know of an incident that is not covered, you can report it via the Dev Encyclopedia contact page for inclusion in the next update.