Free CLI + paid Pro security reports

Audit MCP configs before AI agents get access to files, shells, and tokens.

A local-first scanner for Claude Desktop, Cursor, Windsurf, and project MCP configs. Use the free CLI for quick checks, then sell or share client-ready Pro reports when a real audit needs a clean deliverable.

Buy Pro - $39 Run the free CLI
npx mcp-risk-scanner@latest --path ./mcp.json --fail-on high
Local-first Config files do not need to leave the developer machine.
0 deps No runtime package tree to audit before running the scanner.
CI-ready Fail pull requests when high-risk MCP configs are introduced.
Pro export Generate HTML reports built for founders, teams, and clients.

Built for developers shipping AI-agent workflows

MCP is the new plugin layer for agent tooling. That makes small JSON config files a real attack surface: a single server entry can launch shells, read broad filesystem paths, install remote packages, or expose secrets through environment variables.

Solo developers

Check local Claude, Cursor, Windsurf, and project configs before giving an agent tool access during a coding session.

AI agencies

Run scans before handing client work back, then attach a readable Pro report with risks and remediation steps.

Small teams

Add a policy file and GitHub Action so risky MCP config changes get caught before they reach the main branch.

Pro reports are the paid product

The free CLI earns trust and distribution through npm. The paid upgrade unlocks cleaner reporting, commercial usage, and a deliverable that agencies can send to customers without rewriting scan output by hand.

What Pro adds

  • Client-ready HTML report without demo watermark.
  • Executive summary for non-security stakeholders.
  • Prioritized high-risk finding table.
  • Remediation checklist for MCP config owners.
  • Signed offline license key; no hosted account required.
MCP Risk Scanner Pro report preview

Simple pricing for the first paid launch

Start with one-time purchase because it is easier for indie developers and AI agencies to say yes. Add subscription plans after rules, report history, or hosted team monitoring become recurring value.

Open Source

$0

For developers checking their own machine.

  • Text and JSON output
  • Basic HTML report
  • Policy file support
  • GitHub Action scaffold
Use free CLI

Pro Report Best first offer

$39

One-time license for paid report exports.

  • No-watermark Pro HTML reports
  • Commercial use for client work
  • Signed local license key
  • Free updates for the 0.x line
Request license

Agency Audit

$199+

One-time review for teams using MCP in production workflows.

  • Config risk review
  • Policy file setup
  • Remediation checklist
  • Follow-up report export
Request audit

How a paid customer gets value

1. Buy Pro

Customer purchases the one-time license through Gumroad, Lemon Squeezy, or the manual request link.

2. Receive license

You generate a signed license key and send the customer a short setup email.

3. Run locally

The customer sets the license key in their shell and runs the npm CLI against local MCP config files.

4. Export report

They get a polished HTML report with findings, risk level, and remediation checklist.

Ready for checkout wiring

The current public button uses GitHub issue intake so the page is honest before a payment account is configured. Once a Gumroad or Lemon Squeezy product is live, replace the Pro button URL with the checkout link and the product can accept one-time purchases.

Recommended first checkout: Gumroad product named MCP Risk Scanner Pro Report, permalink mcp-risk-scanner-pro, price $39, license keys enabled, post-purchase instructions copied from docs/SALES_OPERATIONS.md.