Package Exports
- @mcp-label/cli
- @mcp-label/cli/dist/cli.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@mcp-label/cli) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
@mcp-label/cli
Command-line interface for mcp-label — a privacy, safety, and permissions label for MCP servers.
Install
npm install -g @mcp-label/cliOr use directly with npx:
npx @mcp-label/cli scanCommands
scan — Scan MCP server configurations
# Auto-discover configs (Claude, Cursor, GitHub Copilot)
mcp-label scan
# Scan a specific config file
mcp-label scan --config ./mcp.json
# Output JSON report
mcp-label scan --config ./mcp.json --json
# Output Markdown
mcp-label scan --config ./mcp.json --markdown
# Write JSON report to file
mcp-label scan --config ./mcp.json --output report.json
# Fail CI if risk is high or above
mcp-label scan --config ./mcp.json --fail-on high
# Show scoring rationale
mcp-label scan --config ./mcp.json --explainexport — Export a report to another format
mcp-label export --input report.json --format markdown --output LABEL.md
mcp-label export --input report.json --format svg --output label.svgpolicy — Evaluate against policy rules
mcp-label policy check --config ./mcp.json --policy ./policy.yamlharden — Generate safer config suggestions
mcp-label harden --config ./mcp.json --server githubdiff — Compare two reports or snapshots
mcp-label diff old-report.json new-report.jsoninit — Create starter files for maintainers
mcp-label initSupported config locations
Auto-discovery checks these paths:
| Platform | Paths |
|---|---|
| macOS | ~/Library/Application Support/Claude/claude_desktop_config.json, ~/.cursor/mcp.json, ~/.config/github-copilot/intellij/mcp.json, ~/.config/opencode/opencode.json |
| Linux | ~/.config/Claude/claude_desktop_config.json, ~/.cursor/mcp.json, ~/.config/github-copilot/intellij/mcp.json, ~/.config/opencode/opencode.json |
| Windows | %APPDATA%/Claude/claude_desktop_config.json, %USERPROFILE%/.cursor/mcp.json, %APPDATA%/opencode/opencode.json |
Example output
Config: ./.cursor/mcp.json
Servers: 2
Overall: C / HIGH
github (known.github-mcp)
Capability: High Risk: High Hardening: C Trust: High
Expected capabilities:
HIGH secrets.env (expected) Environment variable detected: GITHUB_PERSONAL_ACCESS_TOKEN
MEDIUM repo.read (expected) GitHub MCP server inferred
HIGH repo.write (expected) Possible write access inferred
Recommendations:
- Use a fine-grained GitHub token.
- Prefer read-only scopes where possible.Safety
- Default scan is static only — no MCP servers are started or contacted
- Secret values are never printed — only variable names are shown
- No telemetry, no cloud calls
Supported clients
- Claude Desktop —
claude_desktop_config.json - Cursor —
.cursor/mcp.json - GitHub Copilot —
.config/github-copilot/intellij/mcp.json - OpenCode —
opencode.json/opencode.jsonc(local, remote, and OAuth servers)
Docs
- Publishing to npm — Full publish workflow and CI/CD setup
License
MIT