MCP Preflight Local-first MCP trust review Run free scan
Guide

Secure mcp.json

A practical review pass for the config that decides what your MCP setup can launch, inherit, and reach.

Back to guidesRun free scan
Section 1

What to inspect first

Start with launch method, id uniqueness, transport, and environment handling. If the config hides risk there, nothing later in the workflow gets safer.

  • check whether the launcher is reviewed, pinned, or ephemeral
  • check whether credentials appear in the URL or file directly
  • check whether blanket environment inheritance is enabled
  • check whether the server reaches broader paths or remotes than expected
Section 2

Safer defaults

  • prefer reviewed local installs over floating or opaque launch paths
  • move auth into env-backed fields or headers rather than embedding secrets in config
  • pass only the variables the server needs
  • keep filesystem scope as narrow as the real task allows
Section 3

What MCP Preflight helps with

The scanner is strongest at surfacing broad scope, token passthrough, launcher risk, and transport/auth issues while the config is still easy to change.

mcp-preflight scan . --format text --no-exit-code