Local-first MCP trust check

Check an MCP server before you trust it.

MCP Preflight reads common MCP config files, prompt resources, tool descriptions, and repo manifests, then explains risky patterns in plain language before they become a bigger problem.

Install for VS Code Install from Open VSX Buy Pro

Lite Local scan, no account required Pro Reports, hooks, CI, presets Trust stance No hosted scan backend

Fast start

Get to a real scan quickly

Install the extension or run the CLI from the public repo. The bundled quickstart workspace is intentionally risky, so the first run shows real findings instead of a blank success screen.

Open the public repo

Lite

Keep the free path simple

Lite is the fast local scan: workspace scan, current-file scan, text output, JSON output, and the core MCP-focused checks. No account is required.

Read the privacy note

Pro

Unlock workflow surfaces

Pro adds Markdown, HTML, and SARIF reports, suppression files, CI mode, Git hooks, and policy presets through a local signed license token.

Read the Pro guide

Why this stays small

Not a dashboard. Not a gateway. Not a broad AppSec platform.

The point of MCP Preflight is narrow on purpose: scan first, trust later. That means local-first behavior, readable findings, conservative permissions, and a public surface that explains the product without turning it into a hosted control plane.

Read the audit notes Report a security issue