Verdict first
SAFE, REVIEW, BLOCK, and UNKNOWN — with evidence for every finding. UNKNOWN never auto-upgrades to SAFE.
Agent tool security
Lint tool-call risk before the tools run.
Before your agent runs a tool, know what it can read, write, execute, and send. CallLint scans MCP configs statically and returns evidence-backed verdicts — never executing the server it judges.
Offline by default
No network unless you opt in. Deterministic rules decide verdicts; no model in the decision path.
CI-ready
JSON, SARIF, compact terminal output, and self-contained HTML reports for pipelines and review.
Install & scan
Point CallLint at your MCP config before your agent loads it.
npx calllint scan .cursor/mcp.json
npx calllint scan .cursor/mcp.json --ci --no-emoji
npx calllint scan .cursor/mcp.json --html > report.html