Analyzes MCP configuration files to detect shadow server indicators including unverified npm packages, binaries in writable directories, and suspicious command paths.
Analyze each server in MCP config for shadow server indicators: unverified npm packages via npx -y, binaries in writable directories (/tmp), suspicious command paths.
| Name | Required | Description | Default |
|---|---|---|---|
| path | Yes | Path to MCP configuration file |
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
With no annotations, the description must fully disclose behavior. It states 'analyze', which suggests a read-only operation, but it does not explicitly confirm no modifications, mention permissions, rate limits, or error behavior. Key safety traits are missing.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is a single, efficient sentence that front-loads the action and includes specific indicators. It contains no redundant words and is well-structured for quick comprehension.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
The tool has one parameter and no output schema. The description explains what it checks but does not describe the return format, whether it produces a report, or how results are presented. This leaves an agent without full context for invoking and interpreting the tool.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema coverage is 100% with a clear description for the 'path' parameter. The tool description does not add any additional semantics beyond what the schema provides, so it meets the baseline but does not enhance understanding.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description explicitly states the tool analyzes MCP config files for shadow server indicators, listing specific signs like unverified npm packages and suspicious paths. This clearly identifies the resource and action, distinguishing it from sibling tools like cfg_audit_mcp_config which likely performs a broader audit.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description implies the tool is for detecting shadow servers in MCP configs, but it does not provide explicit guidance on when to use it versus alternatives (e.g., cfg_audit_mcp_config for general audit). There are no when-not or preferred context statements.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/badchars/mcp-security-scanner'
If you have feedback or need assistance with the MCP directory API, please join our Discord server