See what any MCP server can touch — static blast-radius report for every target; manifest optional for divergence detection.
Project description
MCP Blast-Radius Auditor
See what any MCP server can actually touch — before you add it to your agent.
No manifest? You still get the full blast-radius report. Add a manifest to also catch divergences.
Also, if the server declares a manifest: Catch an MCP server that touches files it said it wouldn't — and block the merge in CI.
Statically extract what a third-party MCP server can reach (files, network, subprocess, env) via surface-level analysis. Compare against declared boundaries when a manifest is present.
30-second scan
pipx run mcp-blast-radius # MCP server
pip install . && mcp-blast-radius-gate --gate-mode blocking --target-dir /path/to/mcp-server
- Red (blocking): divergence detected — code touches paths or capabilities not declared in manifest.
- Green: no divergences (or no manifest — blast radius report only, advisory pass).
Install
python3 -m venv .venv
source .venv/bin/activate
pip install .
CLI entry
mcp-blast-radius # MCP stdio server
mcp-blast-radius-gate # CI gate (default blocking, exit 1 on fail)
CI blocking gate
mcp-blast-radius-gate --gate-mode blocking --target-dir .
# no divergences → exit 0 / divergences or declaration violations → exit 1
MCP tools
aos_compliance_validate— scan one MCP server directory (target_dirrequired;tool_idoptional label)aos_compliance_self_test— wiring smoke test
Default gate_mode=advisory. Use gate_mode=blocking in CI to fail on divergences.
What is extracted
| Layer | Scope | Confidence |
|---|---|---|
| Dependencies | requirements.txt, pyproject.toml, package.json |
declared |
| Python AST | imports, file I/O, network, env, subprocess; MCP tool attribution | observed-static / cannot-determine |
| Divergence | manifest permitted_output_paths / oracle_paths vs observed access |
blocking when mismatch |
Limitations: Static analysis only. Dynamic imports, getattr/eval, obfuscation, and native extensions may hide capabilities. We do not claim complete coverage — every finding includes a confidence label.
Environment
| Variable | Purpose |
|---|---|
AOS_VALIDATOR_TARGET_DIR |
Default scan root when target_dir is omitted |
AOS_VALIDATOR_MCP_LOG |
JSONL path for local tool call log (never sent externally) |
AOS_VALIDATOR_CALLER |
Caller label (ci, smoke_self_call, etc.) |
Example
aos_compliance_validate target_dir=/path/to/my-mcp-server gate_mode=blocking
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_blast_radius-0.2.1.tar.gz.
File metadata
- Download URL: mcp_blast_radius-0.2.1.tar.gz
- Upload date:
- Size: 16.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bad922d94f7e48a8d8c33a347a703316916d636b6cd6e9465cf221a526a0e58d
|
|
| MD5 |
b5b6a68d3b96aa6734c626b177ec2172
|
|
| BLAKE2b-256 |
cc3091cbbad5a765375e9b4a111efd0d7b41f2458862068ef395a88f7469cc02
|
File details
Details for the file mcp_blast_radius-0.2.1-py3-none-any.whl.
File metadata
- Download URL: mcp_blast_radius-0.2.1-py3-none-any.whl
- Upload date:
- Size: 18.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c012a679d6577952892b9a9f31029d96b427c74669e5abe25e1e7cb9fa2dd0f9
|
|
| MD5 |
04c363a58783af1963aece392fbbc4b5
|
|
| BLAKE2b-256 |
7d60f4a4b3b16504196603b5eaeedc23b4c7c035c2afd0bd7b7debdd11e1aae4
|
