Free · open source · no account
How many ungoverned MCP servers are on your laptop right now?
Every MCP server configured in Claude Code, Cursor, or Windsurf can read your files, hold your API keys, and reach the network. Most teams have no idea what's installed. One command tells you — in about 60 seconds.
npx -y @curatedmcp/auditorRuns locally. Exits non-zero if high-risk servers are found — CI-friendly.
Finds every MCP config
Scans the config locations for Claude Code, Claude Desktop, Cursor, Windsurf, and Gemini on your machine.
Flags shadow servers
Each server is checked against the risk-classified CuratedMCP catalog. Anything in no governed catalog is shadow MCP — software with credential access that nobody reviewed.
Grades the machine A–F
Get a shareable, unlisted report URL — the artifact you paste in Slack or forward to your security lead.
What leaves your machine: almost nothing.
The scan runs entirely locally and prints its findings in your terminal. Generating a shareable web report is optional and asks first — and uploads only server names, which IDE they came from, and risk flags. Commands, arguments, env values, secrets, and file paths never leave your machine. The CLI is MIT-licensed open source, so you can check.
What the report looks like
High risk found
11 servers across Claude Code, Cursor — 4 shadow, 1 high-risk
This scan covers one machine.
Your team has dozens. The CuratedMCP Control Plane runs this across every developer laptop, sets the allowlist, and gives security the audit trail — a flat-fee 60-day pilot, no proxy in the request path.