by KryptosAI
Test, secure, and monitor MCP servers before agents depend on them.
# Add to your Claude Code skills
git clone https://github.com/KryptosAI/mcp-observatoryGuides for using ai agents skills like mcp-observatory.
Last scanned: 7/3/2026
{
"issues": [],
"status": "PASSED",
"scannedAt": "2026-07-03T07:19:46.952Z",
"npmAuditRan": true,
"pipAuditRan": true,
"promptInjectionRan": true
}mcp-observatory is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by KryptosAI. Test, secure, and monitor MCP servers before agents depend on them. It has 145 GitHub stars.
Yes. mcp-observatory passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/KryptosAI/mcp-observatory" and add it to your Claude Code skills directory (see the Installation section above).
mcp-observatory is primarily written in TypeScript. It is open-source under KryptosAI on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh mcp-observatory against similar tools.
No comments yet. Be the first to share your thoughts!
███╗ ███╗ ██████╗██████╗
████╗ ████║██╔════╝██╔══██╗
██╔████╔██║██║ ██████╔╝
██║╚██╔╝██║██║ ██╔═══╝
██║ ╚═╝ ██║╚██████╗██║
╚═╝ ╚═╝ ╚═════╝╚═╝
O B S E R V A T O R Y
The GitHub-native CI, SARIF, and security gate for MCP servers before agents depend on them.
Agents should not depend on tools nobody tests. MCP Observatory turns a local MCP check into release-gate evidence maintainers already understand: GitHub Actions, security findings, schema drift detection, PR reports, score badges, agent-accessible diagnostics, and GitHub Code Scanning SARIF.
Start with one server:
npx @kryptosai/mcp-observatory test npx -y my-mcp-server
Then convert the passing check into CI with Code Scanning:
npx @kryptosai/mcp-observatory setup-ci --all --command "npx -y my-mcp-server" --sarif
See the launch page, GitHub Code Scanning demo, and GitHub Code Scanning for MCP servers.
Two more fast paths:
Cloned this repo? Start here: CLONED_THIS.md. Want to contribute? Add one server to the MCP Target Registry or use the Agent Task Pack.
Add MCP CI in one command:
npx @kryptosai/mcp-observatory setup-ci --all --command "npx -y my-mcp-server"
Upload normalized MCP findings to GitHub Code Scanning when you want a security-native release gate:
npx @kryptosai/mcp-observatory setup-ci --all --command "npx -y my-mcp-server" --sarif
Add Observatory as an agent-accessible MCP server:
claude mcp add mcp-observatory -- npx -y @kryptosai/mcp-observatory serve
Building an autonomous agent, OpenClaw-style productivity machine, MCP gateway, or bot runtime? Start with the agent runtime quickstart, copy the OpenClaw MCP reliability agent template, or point your agent at llms.txt and AGENTS.md.
Or test a server immediately:
npx @kryptosai/mcp-observatory test npx -y @modelcontextprotocol/server-everything
Use it as a CLI, a GitHub Action, or an MCP server that lets your AI agent scan, test, record, replay, and verify other MCP servers autonomously.
MCP servers are becoming production dependencies. If agents rely on them, teams need a way to catch broken tools, unsafe schemas, schema drift, slow responses, and security footguns before those failures reach users.
Observatory gives maintainers and teams:
setup-ci --allSee the launch page, GitHub Code Scanning for MCP servers, Code Scanning demo, target gallery, target registry, target contribution guide, Agent Task Pack, setup-ci --doctor, MCP server security field guide, Safety Methodology, MCP Server Safety Index, June 2026 safety field report, reference evaluations, MCP lock files, public proof, campaign attribution, local metrics dashboard, and commercial support.
MCP servers are becoming part of the AI software supply chain. Agents need reliable, testable, auditable tools before those tools become dependencies in mission-critical workflows.
MCP Observatory gives security and platform teams MCP server CI, schema drift detection, security findings, SARIF/HTML/Markdown reports, GitHub Code Scanning upload, and a path toward certification or fleet visibility. Local OSS use stays free; production, private repo, and fleet usage can move through a paid MCP Readiness Review.
Local OSS use stays free under MIT. Teams running MCP in production can use the MCP Readiness Review for CI rollout, SARIF/Code Scanning setup, private repo review, recurring security reports, certification review, support, and fleet visibility. The default package starts at $2,500.
Run npx @kryptosai/mcp-observatory cloud, open a pilot request from the issue chooser, or see COMMERCIAL.md. Also see privacy and telemetry, campaign attribution, and terms for production use.
Scan every MCP server in your Claude config:
npx @kryptosai/mcp-observatory
Go deeper — also invoke safe tools to verify they actually run:
npx @kryptosai/mcp-observatory scan deep
Test a specific server:
npx @kryptosai/mcp-observatory test npx -y @modelcontextprotocol/server-everything
Add it to Claude Code as an MCP server:
claude mcp add mcp-observatory -- npx -y @kryptosai/mcp-observatory serve
Or add it manually to your config:
{
"mcpServers": {
"mcp-observatory": {
"command": "npx",
"args": ["-y", "@kryptosai/mcp-observatory", "serve"]
}
}
}
| Command | What it does |
|---|---|
scan |
Auto-discover servers from config files and check them all (default) |
scan deep |
Scan and also invoke safe tools to verify they execute |
test <cmd> / test --target <file> |
Test a specific server by command or target config |
record <cmd> |
Record a server session to a cassette file for offline replay |
replay <cassette> |
Replay a cassette offline — no live server needed |
verify <cassette> <cmd> |
Verify a live server still matches a recorded cassette |
diff <base> <head> |
Compare two run artifacts for regressions and schema drift |
watch <config> |
Watch a server for changes, alert on regressions |
suggest |
Detect your stack and recommend MCP servers from the registry |
serve |
Start as an MCP server for AI agents |
lock |
Snapshot MCP server schemas into a lock file |
lock verify |
Verify live servers match the lock file |
history |
Show health score trends for your MCP servers |
setup-ci / init-ci |
Create a GitHub Action and badge snippet for MCP compatibility/security checks |
setup-ci --sarif |
Generate a workflow that uploads normalized findings to GitHub Code Scanning |
setup-ci --doctor |
Inspect whether the repository has a complete CI adoption kit |
ci-report |
Generate CI report for GitHub issue creation |
enterprise-report |
Generate a static production/security report from run artifacts |
score <cmd> |
Score an MCP server's health (0-100) |
badge <cmd> |
Generate an SVG health score badge for README |
cloud |
Show hosted reporting, security review, and enterprise pilot options |
Run with no arguments for an interactive menu:
Check capabilities — connects to a server and verifies tools, prompts, and resources respond correctly.
Invoke tools — goes beyond listing. Actually calls safe tools (no required params / readOnlyHint) and reports which ones work and which ones crash.
npx @kryptosai/mcp-observatory scan deep
Detect schema drift — diffs two runs and surfaces added/removed fields, type changes, and breaking parameter changes.
npx @kryptosai/mcp-observatory diff run-a.json run-b.json
Recommend servers — scans your project for languages, frameworks, databases, and cloud providers, then cross-references the MCP registry to suggest servers you're missing.
npx @kryptosai/mcp-observatory suggest
Or ask your agent "what MCP servers should I add?" when running in MCP server mode.
Security scanning — analyzes tool schemas for dangerous patterns: shell injection surfaces, broad filesystem access, missing auth, and credential leakage in responses.
npx @kryptosai/mcp-observatory test --security npx -y my-mcp-server
Record / replay / verify — capture a live session, re