MCP Capability Inspector and Schema Validator Tool - Inspect tools, resources, and prompts and Flag Risky MCP Declarations
First Published:
Last Updated:
tools/list, resources/list, or prompts/list response (or any object containing those arrays) and the tool builds a readable tree, validates each declaration against the MCP specification, and statically flags risky declaration patterns for manual review.All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server, no MCP server is contacted, and no URL is ever fetched. Your capability JSON never leaves your device.
- This tool is provided "AS IS" without any warranties of any kind.
- This tool performs static inspection only. It never connects to an MCP server, never executes a tool, and never fetches any URL.
- A clean result does not guarantee that a server is safe - real behavior, the actual implementation behind a declaration, and future updates are all out of scope.
- Every risk finding is a flag for manual review, not a verdict of safe or malicious.
- By using this tool, you accept full responsibility for any outcomes.
This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.
Capabilities JSON Input
.json file here, or click to choose a file
Inspection Results
About This Tool
The Model Context Protocol (MCP) lets a server expose tools (model-invoked actions), resources (context data identified by URI), and prompts (user-selected templates). A client discovers them with tools/list, resources/list, and prompts/list, then puts those declarations - including each tool's inputSchema and description - in front of a language model. Because the model reads those declarations and may act on them, reviewing what a server publishes before you connect is a meaningful safety step. This tool does that entirely in your browser:
- Inspector: normalizes the pasted JSON into a collapsible tree of tools, resources, resource templates, and prompts - showing names, titles, descriptions, input properties and their types, resource URIs and MIME types, prompt arguments, and tool annotations.
- Validator: checks each declaration against the MCP schema (required fields,
inputSchemashape, name constraints, duplicates) and reports line-pathed Error / Warning / Info, each labeled spec or recommendation. - Risk Heuristics: statically flags patterns such as instruction-like text hidden in a description (tool poisoning), annotations that contradict the declared behavior, an over-broad input surface, external URLs, invisible / bidirectional characters, and credential-shaped inputs.
The schema rules and detection patterns were validated against the official Model Context Protocol specification revision 2025-11-25 (the current revision), confirmed on 2026-06-23. The specification evolves; re-check the sources below for the current field set.
Specification Sources
- MCP server tools (Tool object,
inputSchema, ToolAnnotations,execution.taskSupport): modelcontextprotocol.io/specification/2025-11-25/server/tools - MCP server resources (Resource and ResourceTemplate objects, annotations): modelcontextprotocol.io/specification/2025-11-25/server/resources
- MCP server prompts (Prompt and PromptArgument objects): modelcontextprotocol.io/specification/2025-11-25/server/prompts
- MCP versioning (current revision): modelcontextprotocol.io/specification/versioning
Features
- 🌳 Capability Tree: One readable view of tools, resources, resource templates, and prompts, with collapsible entries.
- ✅ Schema Validation: Path-anchored Error / Warning / Info against MCP 2025-11-25, covering tools, resources, templates, and prompts.
- 🏷️ Spec vs. Recommendation: Every finding is labeled a documented requirement or this tool's suggestion - no invented rules.
- 🛡️ Risk Heuristics: Tool-poisoning text, contradictory annotations, over-broad input, external URLs, invisible characters, and credential-shaped inputs - each with a short "why review".
- 🧩 Flexible Input: Accepts a raw
*/listresponse, a JSON-RPC envelope (resultobject), or an object/array containing the declarations. - 📂 Drag and Drop: Drop a
.jsonfile or paste; Ctrl+Enter (Cmd+Enter) runs the inspection. - 🔒 Privacy First: All processing happens locally - no server connection, no URL fetch, no data leaves your browser.
How to Use
- Paste or drop your MCP capabilities JSON (or click an Example).
- Click Inspect and Validate (or press Ctrl+Enter / Cmd+Enter).
- Inspector tab: read the capability tree; expand any tool, resource, or prompt.
- Validator tab: review schema Errors, Warnings, and Info, each with a JSON path and a spec / recommendation label.
- Risk Heuristics tab: review High / Medium / Low flags for manual review.
- Copy Report to take the combined results into a review checklist or pull-request comment.
Validation Rules
Required fields come from the MCP specification (Tool requires name and inputSchema; Resource requires uri and name; ResourceTemplate requires uriTemplate and name; Prompt and each argument require name). "Origin" distinguishes a documented requirement (spec) from this tool's suggestion (recommendation).
| ID | Level | Origin | What it checks |
|---|---|---|---|
T-E1 | Error | spec | Tool missing required name (non-empty string) |
T-E2 | Error | spec | Tool missing required inputSchema |
T-E3 | Error | spec | inputSchema is null / not a JSON Schema object |
T-E4 | Error | spec | inputSchema.type is not "object" |
T-E5 | Error | spec | inputSchema.properties / required malformed |
T-W1 | Warning | spec | Tool name outside 1-128 chars of A-Z a-z 0-9 _ - . (SHOULD) |
T-W2 | Warning | spec | Duplicate tool name (SHOULD be unique) |
T-W3 | Warning | spec | required lists a property not in properties |
T-W4 | Warning | spec | execution.taskSupport not forbidden / optional / required |
R-E1 / R-E2 | Error | spec | Resource missing uri / name |
R-W1 | Warning | spec | Resource uri has no scheme (RFC 3986) / duplicate uri |
RT-E1 / RT-E2 | Error | spec | Resource template missing uriTemplate / name |
P-E1 | Error | spec | Prompt missing name |
P-E2 | Error | spec | Prompt argument missing name |
P-W1 | Warning | spec | Duplicate prompt name / argument required not boolean |
A-W1 | Warning | spec | Annotation field invalid (hint not boolean, audience / priority out of range) |
X-I1 | Info | recommendation | Unknown key (possible typo, e.g. input_schema for inputSchema) |
X-I2 | Info | recommendation | Tool has no description (optional in the spec, but the model relies on it) |
R-I1 / P-I1 | Info | recommendation | Resource missing mimeType / prompt missing description |
Heuristic Risk Checks
Every detection below produces a flag for manual review, never a verdict. Severity reflects how dangerous the pattern is if malicious, not a probability that it is. These checks are this tool's own recommendations, inspired by the defensive thinking in the companion MCP Tool Poisoning Defense Guide.
| ID | Severity | Category | What it flags |
|---|---|---|---|
H1 | High | Tool poisoning / hidden instruction | Instruction-like phrases in a declared name / description / schema ("ignore previous", "do not tell the user", <IMPORTANT>) - text the model reads but a user may overlook |
H2 | Medium | Destructive / high-impact vocabulary | Wording implying deletion, execution, or privilege (delete, drop table, rm -rf, exec, sudo) |
H3 | Medium / Low | Annotation contradicts behavior | readOnlyHint: true while the text implies writes, or inconsistent hints - annotations are untrusted |
H4 | Medium / Low | Over-broad input surface | No properties with additionalProperties not false, or an untyped property |
H5 | Low | External URL / egress | An http(s) URL in a declaration - fetched content can carry instructions (this tool never fetches it) |
H6 | High / Medium | Obfuscation / invisible characters | Zero-width, bidirectional, and Unicode tag characters, or long base64 / hex blobs |
H7 | Low | Credential-shaped input | An input property named like a secret (password, token, api_key, private_key) |
FAQ
What is a tool inputSchema?
Each MCP tool declares an inputSchema - a JSON Schema object (defaulting to draft 2020-12) with "type": "object" - that describes the arguments the tool accepts. The client and model use it to construct valid tools/call arguments. The MCP spec requires inputSchema to be a valid JSON Schema object (never null); a tool with no parameters typically uses { "type": "object", "additionalProperties": false }.
What is tool poisoning?
Tool poisoning is when a server hides instructions for the model inside the text it declares - most often a tool's description or an argument description - so that the model reads and acts on them while the user, who usually only sees a tool name, never notices. This tool flags instruction-like phrasing and hidden / invisible characters as a prompt for manual review, but it cannot judge intent in natural language.
Does a clean result mean the server is safe?
No. A clean result means none of this tool's static schema and heuristic checks matched. It is a fast, repeatable baseline, not a safety certificate. The real behavior behind a declaration, the server's trustworthiness, and future changes to its capabilities are all out of scope. Use it as one input to a manual review, and remember the MCP spec itself says clients must treat tool annotations as untrusted unless the server is trusted.
Which MCP specification is this checked against?
The current MCP revision, 2025-11-25, confirmed against the official specification on 2026-06-23 (see Specification Sources above). MCP uses date-based revisions; because the specification changes, re-check those pages for the current field set before relying on a result.
Does this tool connect to my MCP server?
No. It is entirely client-side. It never opens a connection to an MCP server, never issues tools/list or any other request, never executes a tool, and never fetches a URL it finds in the input. You paste the declarations you already have (for example, the output of a tools/list call), and everything is analyzed locally in your browser.
Important Notes
- This tool performs static inspection of MCP capability declarations against the MCP specification revision 2025-11-25 (verified 2026-06-23). Heuristic risk checks are best-effort and may produce false positives or miss real issues. A clean result is not a guarantee that a server is safe - always review the source and trust of any MCP server you connect.
- A static inspector fundamentally cannot do three things, so never mistake a clean result for safety:
- Judge intent in natural language - an instruction hidden in a description can be grammatically ordinary; whether it serves the tool's purpose is a human question.
- See the real implementation - the declaration is a contract, not the code; what a tool actually does when called is not visible in its schema.
- See the future - a server that publishes a clean declaration today can change it tomorrow, which is why re-reviewing matters.
- Tool annotations (
readOnlyHint,destructiveHint,idempotentHint,openWorldHint) are untrusted hints. The MCP spec states clients must treat them as untrusted unless they come from a trusted server - do not rely on them for a security decision. - Specifications change. The validator reflects the MCP revision confirmed on 2026-06-23; verify the current field set against the official sources above before relying on a result.
Related Tools
- MCP Server Configuration Builder and Validator Tool - build and validate MCP client connection settings (this tool checks the published capabilities instead)
- Agent Skills Validator and Security Scanner Tool - the SKILL.md counterpart: validate frontmatter and flag risky patterns
- JSON Schema Generator and Validator Tool - inspect or build the JSON Schema used by a tool inputSchema
- JSON Formatter Tool - format and validate the capability JSON before pasting it here
Related Articles
- MCP Tool Poisoning Defense Guide - how malicious instructions hide in capability declarations, and how to defend against them
- MCP Server Implementation Reference - how a server declares tools, resources, and prompts
- MCP Server Testing and Debugging Guide - inspect and exercise a server's capabilities end to end
References:
Tech Blog with curated related content
Web Tools Collection