CI-first conformance, security, and benchmarking CLI for MCP servers. Lint your MCP server before your users do.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for abhishekhsingh from gravatar.com abhishekhsingh

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Abhishekh Singh
  • Maintainer: Abhishekh Singh
  • Tags benchmarking , cli , conformance , mcp , model-context-protocol , prompt-injection , security , testing , tool-poisoning
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

mcp-halflist

CI-first conformance, security, and benchmarking CLI for MCP servers.

Lint your MCP server before your users do.

PyPI License Python

What It Does

Point it at any MCP server and get a scored conformance report, security vulnerability scan (prompt injection, tool poisoning, data exfiltration), and per-tool latency benchmarks. Fully offline, zero API keys, CI-native. One pip install, one command, done.

See It In Action

Terminal output:

halflist audit output

HTML report: View example report

Install

pip install mcp-halflist

macOS users: use python3 instead of python in server commands.

Quick Start

# Full audit of the official MCP reference server (runs instantly, no setup)
halflist audit --stdio "npx -y @modelcontextprotocol/server-everything"

# Security scan + conformance check
halflist check --stdio "npx -y @modelcontextprotocol/server-everything"

# Benchmark tool latency
halflist bench --stdio "npx -y @modelcontextprotocol/server-everything" --all

# Pin tools, then verify later for rug pull detection
halflist pin --stdio "npx -y @modelcontextprotocol/server-everything"
halflist check --stdio "npx -y @modelcontextprotocol/server-everything" --verify-pins

# Your own server
halflist audit --stdio "python3 my_server.py"

# More real servers to try
halflist check --stdio "npx -y @modelcontextprotocol/server-time"
halflist check --stdio "npx -y @modelcontextprotocol/server-filesystem /tmp"

Commands

Command What it does
halflist check Protocol conformance + security scanning
halflist bench Per-tool latency benchmarking (p50/p95/p99)
halflist audit Combined check + bench in one shot
halflist watch Continuous health monitoring
halflist report Generate markdown, HTML reports, or SVG badges from JSON
halflist pin Save tool hashes for rug pull detection

See the full command reference for all flags and examples.

Security Scanning

halflist scans tool descriptions for prompt injection, data exfiltration instructions, cross-tool manipulation, suspicious encoding (base64, zero-width characters), and rug pull attempts via tool pinning. All scanning is fully offline — zero API calls, zero data sharing. Unlike mcp-scan which sends tool descriptions to an external API, halflist runs entirely on your machine.

See security scanning details for the full list of detection patterns.

Output Formats

Terminal (colored, default) · JSON (--format json) · Markdown · HTML · SVG Badge

See the output format reference for details.

How It Compares

Tool Approach Needs API key Sends data externally
MCP Inspector Interactive browser UI No No
mcp-probe Interactive TUI (Rust) No No
mcp-server-tester LLM-generated tests Yes (Anthropic) Yes
mcp-scan Security scanning Yes (OpenAI for local) Yes (Invariant API)
mcp-halflist CI-first check + security + bench No No

License

MIT

Author

Abhishekh Singh

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for abhishekhsingh from gravatar.com abhishekhsingh

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Abhishekh Singh
  • Maintainer: Abhishekh Singh
  • Tags benchmarking , cli , conformance , mcp , model-context-protocol , prompt-injection , security , testing , tool-poisoning
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.4.0

This version

0.3.0

0.2.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mcp_halflist-0.3.0.tar.gz (374.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mcp_halflist-0.3.0-py3-none-any.whl (29.0 kB view details)

Uploaded Python 3

File details

Details for the file mcp_halflist-0.3.0.tar.gz.

File metadata

  • Download URL: mcp_halflist-0.3.0.tar.gz
  • Upload date:
  • Size: 374.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.9

File hashes

Hashes for mcp_halflist-0.3.0.tar.gz
Algorithm Hash digest
SHA256 87f9904d95805a5b190e68651b861d628402c2c628976e7347583b5c0cda82b8
MD5 92b714b58149f5b873a098a85c42d8c0
BLAKE2b-256 648a6228beb57b3184e0a32fe450257283643724cdb6311c26473b926b5abd79

See more details on using hashes here.

File details

Details for the file mcp_halflist-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: mcp_halflist-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 29.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.9

File hashes

Hashes for mcp_halflist-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b758cabe33a1b6214f68ababa5779779463f499b4b0ba1b2cfbac4682a57e572
MD5 bf89c879e5002825830588b6822f9e41
BLAKE2b-256 0ec79e622a8febd5cce2f9b4fe2e934893f400c0a5f5c248c382e92a9978e754

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page