MCP security
Review tool permissions before your agent runs them
An MCP server is a set of permissions, not just a plugin. A single config can grant filesystem paths, shell commands, network access, prompt-surface instructions, external actions, money movement, and supply-chain reach — all before you have read a line of the server's code.
CallLint is a static pre-run scanner for MCP and agent-tool configs. It reads the configuration only. It does not execute, install, or connect to the server. It returns SAFE, REVIEW, BLOCK, or UNKNOWN with evidence for each finding.
Surfaces CallLint looks at
- Filesystem roots and broad path access.
- Shell / command execution.
- Network and remote targets.
- Secrets: environment keys and credential config a tool can reach (CallLint inspects config shape — key names — never secret values).
- Prompt surface in tool names, descriptions, and schemas.
- External actions and money movement.
- Supply chain: unpinned packages, unknown remotes.
When to run it
- Before installing an unfamiliar MCP server.
- Before committing
.cursor/mcp.json. - Before enabling a Claude Desktop MCP config.
- In CI when a PR changes agent-tool configuration.
npx calllint@next scan .cursor/mcp.jsonWhat it does not prove
A SAFE verdict means no blockers were observed under current evidence — not that the server is safe at runtime. UNKNOWN means the surface could not be verified statically; it is not SAFE. CallLint does not sandbox, inspect server source, or replace code review.
Related: Agent tool risk · Cursor MCP security · Claude Desktop MCP security · Agent integration guide · Security boundaries