MCP Servers

A collection of Model Context Protocol servers, templates, tools and more.

M
MCP Preflight
by @TimesAndPlaces
GitHub Repo(1 stars)

The fast local check before you trust a new MCP server or ship an agent workflow.

Created 3/7/2026
Updated 1 day ago
README
View Source
Repository documentation and setup instructions

MCP Preflight

MCP Preflight is a local static scanner for Model Context Protocol setups.

It reviews MCP config, prompt text, tool descriptions, and repo manifests, then flags risky patterns before you run a new setup or ship an agent workflow.

The default scan stays on disk. It does not connect to the server or execute tools.

Lite is free, local, and includes suppression files. Pro adds reports, CI mode, Git hooks, and policy presets.

Website: mcppreflight.com

Install

| Surface | Best for | Get it | | --- | --- | --- | | VS Code extension | Editor workflow | VS Code Marketplace or Open VSX | | npm CLI | Terminal workflow | npm install -g mcp-preflight | | Standalone CLI | Single downloaded file | Download mcp-preflight.js from GitHub Releases |

Get started

Pick the path that fits how you want to try it.

1. VS Code extension

This is the quickest way to try it in a real workspace.

  1. Install MCP Preflight from the VS Code Marketplace or Open VSX.
  2. Open the workspace you want to review.
  3. Open the MCP Preflight sidebar from the activity bar, or click the MCP Preflight status item.
  4. Run MCP Preflight: Scan Workspace.
  5. Review the result in the sidebar, overview, and Problems panel.

2. CLI from npm

Install it once and run it anywhere.

npm install -g mcp-preflight
mcp-preflight scan /path/to/workspace

If you want to try it without a global install:

npx mcp-preflight scan /path/to/workspace

For command help:

mcp-preflight --help

3. Standalone CLI from GitHub Releases

Use this if you want a single downloaded file instead of a global install.

node mcp-preflight.js scan /path/to/workspace

4. Run from this repository

Use this if you want to inspect the code, try the bundled example workspace, or work on the project itself.

  1. Clone the repository.
  2. Run npm install.
  3. Run npm run quickstart.
  4. Run npm run scan -- /path/to/your/workspace.

npm run quickstart scans the bundled example workspace in demo/example-findings-workspace so you can see a representative finding set before scanning your own project.

What it reviews

  • .vscode/mcp.json and other common MCP config locations
  • tool descriptions and prompt resources
  • repo manifests and dependency signals
  • obvious secret-bearing files such as .env
  • risky patterns such as credential exposure, token passthrough, floating ephemeral launchers, insecure remote targets, prompt injection, tool poisoning, and over-broad scope

Why people use it

  • It gives you a local review step before first trust.
  • Lite works without an account.
  • Findings explain what looked risky and what to change next.
  • Lite includes local suppression files, so you can tune the signal without paying to recover from noise.
  • It stays focused on MCP review instead of trying to be a general security platform.

Lite and Pro

  • Lite gives you the core local scan, text and JSON output, workspace and current-file scans, and local suppression files.
  • Pro adds reports, CI mode, Git hooks, and policy presets around that scan.
  • Pro is unlocked with a signed local license token. It does not require an MCP Preflight account.
  • Buy Pro: Stripe checkout
  • Activation and install: Pro guide

What MCP Preflight does not do

  • It does not run a hosted scan by default.
  • It does not act as an agent runtime or runtime gateway.
  • It does not claim live server testing in the default scan.
  • It does not try to be a complete AppSec suite.

Local activity

MCP Preflight can keep a small local activity log so you can see how often you scan, whether you have hit a Pro gate, and whether a local Pro token is already installed on the machine.

That log stays local. It does not include workspace contents, and MCP Preflight does not upload it to a hosted backend.

  • Disable it with MCP_PREFLIGHT_DISABLE_ACTIVITY=1
  • Change the file path with MCP_PREFLIGHT_ACTIVITY_FILE=/path/to/activity-log.jsonl

CLI commands

If you are using the npm-installed CLI:

  • mcp-preflight scan /path/to/workspace
  • mcp-preflight scan /path/to/workspace --format json
  • mcp-preflight scan /path/to/workspace --no-exit-code
  • mcp-preflight --help

If you are using the GitHub Release bundle directly:

  • node mcp-preflight.js scan /path/to/workspace
  • node mcp-preflight.js scan /path/to/workspace --format json
  • node mcp-preflight.js scan /path/to/workspace --no-exit-code
  • node mcp-preflight.js --help

Pro-only CLI surfaces:

  • mcp-preflight license guide
  • mcp-preflight license status
  • mcp-preflight license install --from-file /path/to/license.token
  • mcp-preflight ci /path/to/workspace --policy balanced
  • mcp-preflight hooks install /path/to/repo --hook pre-push

Read next

Repository layout

  • packages/core: shared scanning engine
  • packages/cli: command-line entrypoint
  • apps/vscode-extension: VS Code integration

Support

Quick Setup
Installation guide for this server

Install Package (if required)

npx @modelcontextprotocol/server-mcp-preflight

Cursor configuration (mcp.json)

{ "mcpServers": { "timesandplaces-mcp-preflight": { "command": "npx", "args": [ "timesandplaces-mcp-preflight" ] } } }