Scan config, prompts, tool text, and repo manifests for risky launchers, token passthrough, broad scope, weak transport, and poisoned instructions. The default path stays local and static.
Phase 1 is intentionally narrow. It is strongest before first run, before team handoff, and before you bury a risky MCP setup inside automation.
Catch risky launchers, duplicated server ids, weak transport choices, and config shapes that deserve a second look before use.
Surface hardcoded secrets, token passthrough smells, and environment inheritance that is broader than the server actually needs.
Review descriptions and prompt resources for language that can quietly change what a model is willing to do.
Highlight filesystem breadth, broad environment forwarding, and local setup choices that expand the damage from a bad server.
Flag obviously unpinned dependencies, missing lockfiles, and install surfaces that make review harder than it should be.
Return plain findings and direct next actions. The point is to help a human decide, not to hide behind a score.
Run Lite on a real workspace, judge the findings, then buy Pro only if the workflow surfaces save meaningful time.
Use the CLI, the extension, or the release bundle on a workspace you actually care about, not just a demo.
Read the rule ids, compare them to the rules page, and inspect the example report and fix guidance.
Pro should feel like an honest workflow upgrade for export, CI, hooks, and policy presets�not a ransom gate on basic trust evaluation.
Lite should be useful on its own. Pro exists for workflow surfaces that are worth paying for in a real development process.
| Capability | Lite | Pro |
|---|---|---|
| Core static scan config, manifests, prompts, tool text, obvious secret-bearing files | Included | Included |
| Local-first execution | Included | Included |
| Text and JSON output | Included | Included |
| Local suppressions | Included | Included |
| Markdown, HTML, and SARIF reports | Not included | Included |
| Git hooks and CI mode | Not included | Included |
| Policy presets | Not included | Included |
| Commercial model | Free | One-time purchase |
The fastest way to decide whether this tool is credible is to inspect the rules, the example output, the trust pages, and the public repo.
See what the scanner looks for, what the findings mean, and where the boundaries are today.
Example reportRead a representative report before you install or buy anything. The output should be legible first.
Privacy and trustSee what the default scan does not do, what the website touches, and what the commercial flow changes.
GitHubRepo, releases, issues, and discussions matter more for this product than brand polish or ad spend.
No. The default path is a local static review of setup material before runtime trust.
No for Lite. Pro uses a local license token instead of an account-based workflow.
When export, hooks, CI, or presets save real time in a workflow you already know you want to keep.
No. It is strongest before first trust, before handoff, and before risky config becomes routine.
If the product is doing its job, you should understand the value before checkout: what it scans, what it flags, what it does not do, and how it fits your MCP workflow.
