⌘K
Scan MCP servers before adding them to your Cursor AI config.
Before adding an MCP server to Cursor, run a quick scan to verify it's safe.
Cursor reads MCP servers from ~/.cursor/mcp.json (global) or .cursor/mcp.json (project-local). The format mirrors Claude Desktop:
{
"mcpServers": {
"github": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "..." }
}
}
}Run a scan against the package before wiring it into Cursor:
# Start scan
SCAN_ID=$(curl -s -X POST https://api.mcpsafe.io/scan \
-H "Content-Type: application/json" \
-d '{"input": "@modelcontextprotocol/server-github"}' \
| jq -r '.data.scan_id')
# Poll for result
until [ "$(curl -s https://api.mcpsafe.io/scan/$SCAN_ID | jq -r '.status')" = "complete" ]; do
sleep 3
done
# Print grade
curl -s https://api.mcpsafe.io/scan/$SCAN_ID | jq '{grade: .safety_grade, score: .safety_score}'If the grade is A, B, or C, add it to Cursor. If D or F, review the findings at mcpsafe.io before proceeding.
GRADE=$(curl -s https://api.mcpsafe.io/scan/$SCAN_ID | jq -r '.safety_grade')
if [[ "$GRADE" =~ ^[ABC]$ ]]; then
echo "Safe to add (grade $GRADE)"
else
echo "Review findings before adding (grade $GRADE)"
echo "https://mcpsafe.io/scan/$SCAN_ID"
fiAudit every server already in your Cursor config:
jq -r '.mcpServers | keys[]' ~/.cursor/mcp.json | while read SERVER; do
echo "Scanning $SERVER..."
SCAN_ID=$(curl -s -X POST https://api.mcpsafe.io/scan \
-H "Content-Type: application/json" \
-d "{\"input\": \"$SERVER\"}" | jq -r '.data.scan_id')
until [ "$(curl -s https://api.mcpsafe.io/scan/$SCAN_ID | jq -r '.status')" = "complete" ]; do
sleep 3
done
RESULT=
Project-local vs global config
Prefer .cursor/mcp.json (project-local) over ~/.cursor/mcp.json (global). A compromised MCP server in your global config affects every project you open in Cursor.