Scaffold, audit, and inspect Model Context Protocol (MCP) servers from the CLI.
Project description
MCP Anvil
Scaffold, audit, and inspect Model Context Protocol (MCP) servers from one CLI. The missing toolbox for MCP server authors.
pipx install mcp-anvil
mcp-anvil new my-server # scaffold a real working server (free)
mcp-anvil audit ./my-server # 21-rule security + health audit (paid)
mcp-anvil inspect ./my-server # live tool playground :7800 (paid)
Why MCP Anvil
Every MCP server shipped in 2026 reinvents the same plumbing — manifest, tool hygiene, a security audit nobody runs, a debugger that's barely there. Anthropic's official MCP Inspector is fine for one-off pokes but not a toolbox. The published fault taxonomies (arXiv 2506.13538 — 1,899 servers empirically studied; arXiv 2603.05637 — two-thirds Windows-specific faults) aren't productized anywhere.
MCP Anvil fills the gap. One CLI for the three things every MCP author does between "git init" and "ship":
1. Scaffold (free forever — lead-magnet on purpose)
mcp-anvil new my-server --lang python
Generates a complete project — pyproject.toml, MCP manifest, FastMCP-based
server, working sample tool, tests, Dockerfile, README. Python and TypeScript
templates both pass mcp-anvil audit . on first run.
2. Audit (21-rule security + health pass)
mcp-anvil audit ./my-server # full audit
mcp-anvil audit ./my-server --html report.html # share with security review
mcp-anvil audit ./my-server --strict # fail CI on any warning
12 static rules + 9 runtime probes, grounded in the published research above + AgentDojo's injection benchmark. Sample findings:
static.tools.name_collision—Searchandsearchdiffer only by casestatic.security.hardcoded_secret—sk-ant-api03-...shape in your manifestruntime.handshake.failed— server crashes oninitializeruntime.windows.large_payload_breaks_stream— cp1252 mangles long JSON
Adversarial fuzzing is opt-in (--enable-fuzz) because it really does call
your tools with injection payloads.
3. Inspect (live playground at localhost:7800)
mcp-anvil inspect ./my-server
Opens a browser dashboard that auto-renders forms from each tool's JSON schema, fires real MCP calls through a held stdio connection, and shows a run history with per-call latency. Beats the official MCP Inspector on polish — fixture-saving and response-diffing land in v1.1.
Pricing
| Tier | Price | What you get |
|---|---|---|
| Free | $0 | new command + demo mode for audit/inspect |
| Personal | $29 one-time | Everything. 1 developer, 1 year of updates |
| Team | $99 one-time | Everything. 5 developer seats, 1 year |
14-day full-feature trial on first paid-command run. No signup. License is Ed25519-signed offline — no network call on the happy path. 14-day refund on email request.
Install
pipx install mcp-anvil # recommended — isolated install
# or
pip install mcp-anvil # works fine too
Requirements: Python 3.11+. Docker, Node, etc. are NOT required by MCP Anvil itself — they're requirements of the servers you scaffold.
Quickstart
mcp-anvil new my-first-server
cd my-first-server
python -m venv .venv
.venv\Scripts\activate # Windows
# source .venv/bin/activate # macOS/Linux
pip install -e .
mcp-anvil inspect .
Click the echo tool in the browser dashboard, type something, watch the
round-trip in the timeline. That's the trial loop.
Activate a license
After purchase, you receive a base32-encoded blob via email. Activate it:
mcp-anvil license activate "AB3CD4EF..." # paste your key
mcp-anvil license status # confirm
The license is stored at ~/.mcp-anvil/license.json. Verified locally with
the embedded public key — no phoning home.
Status
v0.1.x — alpha. API surface is stable; rule additions ship in patch releases. v0.2 plans: fixture saving, response diffing, AgentDojo full-corpus adapter, Rust + Go templates.
Support
- Site: https://aiinfradecoded.com/mcp-anvil
- Issues: https://github.com/aiinfradecoded/mcp-anvil/issues
- Email: hello@aiinfradecoded.com
Built by AI Infra Decoded. Commercial license, single-developer terms — see LICENSE.md.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_anvil-0.1.5.tar.gz.
File metadata
- Download URL: mcp_anvil-0.1.5.tar.gz
- Upload date:
- Size: 80.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3f5bb36d5ee913bcbd4595a178a3becb5a599e45d1e19cbe7134ca2c25f49084
|
|
| MD5 |
c82b4a4183c83cdb94d6ccd6d9057dcb
|
|
| BLAKE2b-256 |
2586e728666ed0609f2d034602bdbbb1482d5f37acfc39c6317a4d2d16b0899b
|
File details
Details for the file mcp_anvil-0.1.5-py3-none-any.whl.
File metadata
- Download URL: mcp_anvil-0.1.5-py3-none-any.whl
- Upload date:
- Size: 78.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
742389cba9b1401dc68af8e5f2061d329a09e0b174828358b653474dab549805
|
|
| MD5 |
2f68927b5074c5477355e2c104d55b4e
|
|
| BLAKE2b-256 |
805982b31878d1da76160446493761283e7e3244a33457e4d4eaf6b2e0df7b67
|
