MCP manifest risk review playbook for agent operators
From your agent host or Cursor/Claude config, collect the tools array: each entry must have a name, plus optional description, scopes or permissions, inputSchema when present, and a network boolean. Also record the serve…
Export or construct the manifest, Call the analyzer (hosted or local), Interpret findings by factor and severity
Export or construct the manifest
From your agent host or Cursor/Claude config, collect the tools array: each entry must have a name, plus optional description, scopes or permissions, inputSchema when present, and a network boolean. Also record the server identifier and authModel (none, token, oauth, etc). When you already reviewed a version, retain the list of prior tool names so the analyzer can emit permission-diff findings for newly added capabilities.
Call the analyzer (hosted or local)
POST the manifest JSON to https://hermesplant.com/api/agent-services/mcp-risk/score (paid x402) or use the Operator Pack CLI: mcp-risk score manifest.json --json. Both execute identical six-factor rules. Always capture the full response including the requestId, overall risk level, requiresApproval flag, and the findings array for your audit trail.
Interpret findings by factor and severity
Group findings by factor: destructive-action covers delete, drop, exec, rm, shell; over-broad-scope flags wildcards, admin, or absent scopes on write tools; sensitive-egress fires when secrets/env/file tools also declare network or egress verbs; weak-auth is raised at server level when no real authModel is declared; prompt-injection-surface catches free-text schemas that flow into destructive actions; permission-diff surfaces any tool names absent from the priorTools list, especially if destructive. Critical and high findings require human approval before the agent may install the server.
Apply the suggested fixes
For every finding, apply the fix string literally where possible: replace broad scopes with least-privilege lists, add explicit auth gates or dry-run modes, split any tool that both reads secrets and performs egress, constrain inputSchema to enum or typed values instead of open text when the tool performs exec or writes, and re-review on every new tool addition. Re-export the manifest and re-score until the overall risk is medium or low.
Gate the install and log evidence
Never let an agent auto-install on critical or high. Persist the requestId, risk value, full findings array, and the x402 payment receipt together with the agent session log. Pair the pre-install score with DestructGuard runtime blocking and ReviewQueue approval for any subsequent destructive commands the MCP server may enable. This creates a complete chain from manifest review through execution audit.