Claude Code | MCPSafe

⌘K

Claude Code reads MCP servers from .mcp.json at the project root or ~/.claude/mcp.json globally. Scan any server before adding it.

Claude Code MCP config format

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"]
    },
    "fetch": {
      "command": "uvx",
      "args": ["mcp-server-fetch"]
    }
  }
}

Scan before registering

# Scan an npm MCP server
SCAN_ID=$(curl -s -X POST https://api.mcpsafe.io/scan \
  -H "Content-Type: application/json" \
  -d '{"input": "@modelcontextprotocol/server-filesystem"}' \
  | jq -r '.data.scan_id')
 
# Wait for completion
until [ "$(curl -s https://api.mcpsafe.io/scan/$SCAN_ID | jq -r '.status')" = "complete" ]; do
  sleep 3
done
 
# View result
curl -s https://api.mcpsafe.io/scan/$SCAN_ID \
  | jq '{grade: .safety_grade, score: .safety_score, critical: .severity_distribution.critical, high: .severity_distribution.high}'

Scan a PyPI server

Claude Code supports Python MCP servers via uvx. Scan them with the pypi: prefix:

SCAN_ID=$(curl -s -X POST https://api.mcpsafe.io/scan \
  -H "Content-Type: application/json" \
  -d '{"input": "pypi:mcp-server-fetch"}' \
  | jq -r '.data.scan_id')

Audit your .mcp.json

#!/bin/bash
# audit-mcp.sh — scan all servers in .mcp.json and print a summary
FAILED=0
 
jq -r '.mcpServers | to_entries[] | .key + " " + (
  # npx -y <pkg>  → args[1];  uvx <pkg>  → args[0];  fall back to server key
  if (.value.command == "npx") then (.value.args[1] // .key)
  else (.value.args[0] // .key) end
)' .mcp.json \
| while read NAME PKG; do
  SCAN_ID=$(curl -s -X POST https://api.mcpsafe.io/scan \
    -H "Content-Type: application/json" \
    -d "{\"input\": \"$PKG\"}" | jq -r '.data.scan_id')
 
  until [ "$(curl -s https://api.mcpsafe.io/scan/

Add to CI

Drop audit-mcp.sh into your repo and call it from a GitHub Actions step — see the GitHub Actions integration for a complete workflow.