Cursor MCP security
Scan .cursor/mcp.json before enabling tools
When you add an MCP server to Cursor, its permissions are declared in .cursor/mcp.json. CallLint reads that file before the server runs and tells you what the tool can reach — without executing it.
npx calllint@next scan .cursor/mcp.jsonWhat CallLint checks
- Broad filesystem roots passed to a server's args.
- Shell / command execution.
- Remote and network targets.
- Prompt surface in tool names, descriptions, and schemas.
- Money, action, and supply-chain surfaces.
It does not run the server
CallLint only reads the config. It does not execute, install, or connect to the server, and it never reads secret values — it inspects config shape (key names), not your .env.
Reading the verdict
SAFE means no blockers under current evidence (not a runtime guarantee). REVIEW and BLOCK come with a finding id, evidence path, observed value, and remediation. UNKNOWN is not SAFE — review it manually.
A clean scan is necessary, not sufficient. Keep least-privilege tokens and code review in the loop.
Related: MCP security · Claude Desktop MCP security · Agent integration guide