Skip to main content

Local-first MCP measurement — gawk at an MCP server before you trust it. No inventory ever leaves your machine.

Project description

mcpgawk by nativerse

gawk at it before you trust it.

mcpgawk

PyPI Python License CI No egress

gawk at an MCP server before you trust it. A single, local-first command that connects to any Model Context Protocol server and measures what it will cost and expose — without the server's inventory ever leaving your machine.

mcpgawk scanning an MCP server — tools, token cost, and capability flags, locally

Real output. Reproducible on your machine — no account, nothing uploaded.

Why

Every MCP server you connect dumps all its tool definitions into your model's context at connect time — whether you use one tool or none. That's a hidden token tax and an unvetted trust surface. mcpgawk measures both, locally, and never phones home about what it saw.

How it's different

  • vs. cloud scanners (e.g. Snyk/Invariant mcp-scan) — they upload your inventory to a server and gate the verdict. mcpgawk runs entirely on your machine; nothing is uploaded, ever.
  • vs. lazy-load gateways — they cut tokens but tell you nothing about the risk surface.
  • mcpgawk does both — cost and trust — locally, reproducibly, in one command.

Features

  • 🔌 Any transport — stdio, streamable-HTTP, SSE, and OAuth remotes (via the mcp-remote bridge).
  • 💸 Token cost index — exactly what each tool adds to your context at connect.
  • 🧾 Capability facts — write / exfil-capable / declared annotations, straight from the schema.
  • 📌 Integrity pin + drift — catch a server that silently rewrites its tools (--track).
  • 🚩 Bounded signals — injection-shaped descriptions, cross-server shadowing, under-declaring Server Cards — pointers for a human, never verdicts.
  • 🔒 Zero egress, by construction — the measurement layers import no network library. Enforced by a test.

Install

pip install mcpgawk        # or: uv tool install mcpgawk

Use

mcpgawk scan mcp.json                                              # a whole config
mcpgawk scan --stdio "npx -y @modelcontextprotocol/server-filesystem /tmp"
mcpgawk scan --http https://host/mcp --header "Authorization: Bearer $TOKEN"
mcpgawk scan --sse  https://host/sse
mcpgawk scan mcp.json --track                                     # record + detect rug-pulls over time
mcpgawk scan mcp.json --json                                      # machine-readable labels

What it reports

  • Cost index — tokens each tool adds at connect (named tokenizer; a comparable index, not an absolute Claude count).
  • Capability facts — write/mutating, exfil-capable, declared annotations.
  • Integrity pin — a hash that changes if the server silently rewrites its tools; --track turns it into rug-pull detection over time.
  • Bounded signals — precise, low-false-positive pointers for a human to review, never verdicts: injection-shaped descriptions (tools and prompts), cross-server name shadowing, and public Server Cards that under-declare what the server actually exposes.

Guarantees

  • No inventory egress. The only network is the protocol client talking to the server you point it at. The measurement layers import no network library — they cannot egress by construction (enforced by a test). Public Server Card discovery is fetched with no auth and no redirect-following.
  • Facts ≠ heuristics. Exact capability facts and the token index never mix with the bounded heuristic signals — separate in code, separate in output.
  • Reproducible. One command, identical numbers.
  • Rides protocol evolution. Built on the official mcp SDK, which negotiates the protocol version.

Develop

uv run --extra dev --with mcp --with tiktoken --with httpx python -m pytest -q

Contributing

Issues and PRs welcome. Please read CONTRIBUTING.md first, and see the design boundaries in THREAT-MODEL.md. Security reports go through SECURITY.md (privately, not a public issue).

License

Apache-2.0 — see LICENSE. Part of the nativerse · gawk.dev family. The value is in the repo, not a cloud.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mcpgawk-0.1.1.tar.gz (643.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mcpgawk-0.1.1-py3-none-any.whl (24.5 kB view details)

Uploaded Python 3

File details

Details for the file mcpgawk-0.1.1.tar.gz.

File metadata

  • Download URL: mcpgawk-0.1.1.tar.gz
  • Upload date:
  • Size: 643.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for mcpgawk-0.1.1.tar.gz
Algorithm Hash digest
SHA256 a415594ef2d3677de4c7b493243de5880dc2eab56f565a317f077c6c0e38fc28
MD5 af30376172e3c51a9889bf6b8fe75d58
BLAKE2b-256 46d9cece5cf7c38cd839ef302a9ac7755e337f9b636c581994be9cd71274c40a

See more details on using hashes here.

File details

Details for the file mcpgawk-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: mcpgawk-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 24.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for mcpgawk-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 e6d34fcf440390efeee93dc468e526d8583c4430da1721d59fda8dd9ceae7db0
MD5 c4d4b3e3defcf5b51b7ad96b0e8cd97a
BLAKE2b-256 c3199c741a31ba213792534d62e770b3b99e04493f86c7cc6ddffc55d1b4960e

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page