Server data from the Official MCP Registry
Local-first MCP that scores your codebase's build readiness. Your code never leaves your machine.
Local-first MCP that scores your codebase's build readiness. Your code never leaves your machine.
Obra CTO is a well-architected local-first MCP server with strong security fundamentals. The codebase enforces its zero-exfiltration promise through design (no network calls except for voluntary OSV dependency checks), uses safe subprocess handling with shell=true mitigated by user approval gates, and maintains clean separation of concerns. Minor code quality issues include broad error handling and incomplete test output, but these do not compromise security. Supply chain analysis found 1 known vulnerability in dependencies (1 critical, 0 high severity). Package verification found 1 issue.
5 files analyzed · 7 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Add this to your MCP configuration file:
{
"mcpServers": {
"com-get-obra-obra-cto": {
"args": [
"-y",
"obra-cto"
],
"command": "npx"
}
}
}From the project's GitHub README.
A local-first MCP server that scores your codebase's Build Readiness. You install it in your own Claude. Your Claude reads your code on your machine and runs your tests there. Nothing is uploaded.
This is the free preview of Obra's role lineup, and it stays free and local. The CTO reads your code and tells you what an investor's technical diligence would find: real security holes, weak design decisions, and the gaps that stop a serious review. The rest of the team (the Obra CFO for funding-ready materials, and more) lives in the Build with Obra community.
A tool that reads your code should not ship your code somewhere. This server makes no network calls. It returns counts, presence flags, a redacted secrets scan, and a score. Your source stays where it is. You can read every line of this server before you run it, which is the point of keeping it open.
The Obra CTO Score, out of 100, calibrated to your stage (prototype, MVP, or growth), across six dimensions:
| Dimension | Weight |
|---|---|
| Security | 25 |
| Product reality (what is actually built) | 20 |
| Robustness | 15 |
| Architecture | 15 |
| Maintainability | 15 |
| Deploy readiness | 10 |
Every finding carries an evidence grade: A verified, B multiple sources, C partial or inferred, D claim only, E speculation. The score is built from grade A and C evidence, what is true in your code, not what a deck says. When the CTO runs your tests and they pass, reliability becomes grade A. A deck-scorer can never earn that.
Point it at a real project and you get a scored report with a ranked risk register. Here is a run on a scrappy Supabase app (anonymized):
# Obra CTO Score: financeapp
## 46 / 100 · Not yet ready
Assessed as: mobile (react-native, expo) | Backend: supabase
| Dimension | Score | Evidence |
|------------------|-------|----------|
| Security | 6/25 | A |
| Product reality | 20/20 | A |
| Robustness | 3/15 | A |
| Architecture | 9/15 | A |
| Maintainability | 6/15 | A |
| Deploy readiness | 2/10 | C |
## Top Risks
- [critical] RLS policies defined but never enabled; data may be open to any authenticated user
Fix: enable row level security on every table, then verify a second user cannot read your rows.
- [high] Access control gap: a privileged action checks only that the user is logged in, not that they own the resource
- [medium] No tests found
On a well-built app it scores high and credits the good engineering. It is calibrated, not a fear machine.
scan_project reads the project and returns mechanical signals.check_dependencies checks your locked dependencies against the OSV vulnerability
database. Only package names and versions leave your machine, never your code.run_tests runs your test suite (this executes code, so your Claude asks first)
and parses the pass and fail counts.prepare_code_review selects your highest-signal files (schema and policy files,
entry points, security-relevant code) and hands them to your Claude with a checklist
tuned to your stack, including a Backend-as-a-Service lens (Supabase, Firebase) and a
design red-team that critiques the architecture, not just the code.score_build_readiness produces the Obra CTO Score with a Top Risks register.A normal run is: scan, check dependencies, run tests, prepare the code review, then score.
Add it to your Claude MCP config (Claude Desktop or Claude Code):
{
"mcpServers": {
"obra-cto": {
"command": "npx",
"args": ["-y", "obra-cto"]
}
}
}
Then ask your Claude: "Score this project's build readiness with Obra CTO."
Prefer to run from source? Clone the repo, run npm install && npm run build, and
point the config at node /absolute/path/to/obra-cto/dist/index.js.
Not a linter, not a security scanner, not a replacement for your own Claude reading the code. It is technical-diligence readiness inside funding readiness: the question an investor's CTO would ask, answered from your real code.
The Obra CTO is the free preview. To go further:
It all lives in Build with Obra: https://www.skool.com/build-with-obra-5361/about
Apache-2.0.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.