Skip to main content

Local-first MCP measurement — gawk at an MCP server before you trust it. No inventory ever leaves your machine.

Project description

mcpgawk by nativerse

gawk at it before you trust it.

mcpgawk

PyPI Python License CI No egress

gawk at an MCP server before you trust it. A single, local-first command that connects to any Model Context Protocol server and measures what it will cost and expose — without the server's inventory ever leaving your machine.

mcpgawk scanning an MCP server — tools, token cost, and capability flags, locally

Real output. Reproducible on your machine — no account, nothing uploaded.

Why

Every MCP server you connect dumps all its tool definitions into your model's context at connect time — whether you use one tool or none. That's a hidden token tax and an unvetted trust surface. mcpgawk measures both, locally, and never phones home about what it saw.

How it's different

  • vs. cloud scanners (e.g. Snyk/Invariant mcp-scan) — they upload your inventory to a server and gate the verdict. mcpgawk runs entirely on your machine; nothing is uploaded, ever.
  • vs. lazy-load gateways — they cut tokens but tell you nothing about the risk surface.
  • mcpgawk does both — cost and trust — locally, reproducibly, in one command.

Features

  • 🔌 Any transport — stdio, streamable-HTTP, SSE, and OAuth remotes (via the mcp-remote bridge).
  • 💸 Token cost index — exactly what each tool adds to your context at connect.
  • 🧾 Capability facts — write / exfil-capable / declared annotations, straight from the schema.
  • 📌 Integrity pin + drift — catch a server that silently rewrites its tools (--track).
  • 🚩 Bounded signals — injection-shaped descriptions, cross-server shadowing, under-declaring Server Cards — pointers for a human, never verdicts.
  • 🔒 Zero egress, by construction — the measurement layers import no network library. Enforced by a test.

Install

pip install mcpgawk        # or: uv tool install mcpgawk

Use

mcpgawk scan mcp.json                                              # a whole config
mcpgawk scan --stdio "npx -y @modelcontextprotocol/server-filesystem /tmp"
mcpgawk scan --http https://host/mcp --header "Authorization: Bearer $TOKEN"
mcpgawk scan --sse  https://host/sse
mcpgawk scan mcp.json --track                                     # record + detect rug-pulls over time
mcpgawk scan mcp.json --json                                      # machine-readable labels

What it reports

  • Cost index — tokens each tool adds at connect (named tokenizer; a comparable index, not an absolute Claude count).
  • Capability facts — write/mutating, exfil-capable, declared annotations.
  • Integrity pin — a hash that changes if the server silently rewrites its tools; --track turns it into rug-pull detection over time.
  • Bounded signals — precise, low-false-positive pointers for a human to review, never verdicts: injection-shaped descriptions (tools and prompts), cross-server name shadowing, and public Server Cards that under-declare what the server actually exposes.

Guarantees

  • No inventory egress. The only network is the protocol client talking to the server you point it at. The measurement layers import no network library — they cannot egress by construction (enforced by a test). Public Server Card discovery is fetched with no auth and no redirect-following.
  • Facts ≠ heuristics. Exact capability facts and the token index never mix with the bounded heuristic signals — separate in code, separate in output.
  • Reproducible. One command, identical numbers.
  • Rides protocol evolution. Built on the official mcp SDK, which negotiates the protocol version.

Develop

uv run --extra dev --with mcp --with tiktoken --with httpx python -m pytest -q

Contributing

Issues and PRs welcome. Please read CONTRIBUTING.md first, and see the design boundaries in THREAT-MODEL.md. Security reports go through SECURITY.md (privately, not a public issue).

License

Apache-2.0 — see LICENSE. Part of the nativerse · gawk.dev family. The value is in the repo, not a cloud.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mcpgawk-0.1.0.tar.gz (632.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mcpgawk-0.1.0-py3-none-any.whl (24.5 kB view details)

Uploaded Python 3

File details

Details for the file mcpgawk-0.1.0.tar.gz.

File metadata

  • Download URL: mcpgawk-0.1.0.tar.gz
  • Upload date:
  • Size: 632.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for mcpgawk-0.1.0.tar.gz
Algorithm Hash digest
SHA256 d9a6b0490a1994fd3c0a931843f26a818c0bfd4b8aa81d2e9c6ccf5caa543f06
MD5 dba9dd448446e663990f944106646db1
BLAKE2b-256 f45293c3d5fd5931ef740a35f4def079feccf7cb4019ab5954f7c48968540fd8

See more details on using hashes here.

File details

Details for the file mcpgawk-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: mcpgawk-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 24.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for mcpgawk-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 d73e5d581dea45b28995afe2075fff6819d8d97f22c3b979a1f14c5ef68845c4
MD5 cdb07ee0c09cb04368de3d38920cf06d
BLAKE2b-256 9c27e9a9f1bbce5bf413d8efaa010ba66b8b7bc850dfcf0e813c5da3a9914b73

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page