Server data from the Official MCP Registry
Read-only MCP server: your agent sees all your sibling repos but structurally cannot touch them
Read-only MCP server: your agent sees all your sibling repos but structurally cannot touch them
Repiscope is a well-architected read-only MCP server with strong security-by-design principles. The codebase implements multiple defense layers (path traversal prevention, symlink escaping detection, sensitive file filtering) backed by comprehensive test coverage. Minor code quality observations exist but do not impact the security posture. The server's permissions (file_read, env_vars) are appropriate for its read-only repository inspection purpose. Supply chain analysis found 3 known vulnerabilities in dependencies (0 critical, 3 high severity). Package verification found 1 issue.
7 files analyzed · 8 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-3xpr1ment-repiscope": {
"args": [
"repiscope"
],
"command": "uvx"
}
}
}From the project's GitHub README.
A periscope for your repos — see everything, touch nothing.
Repiscope is a read-only MCP server that gives your coding agent (Claude Code, Cursor, or any MCP client) awareness of the sibling repositories next to the one it's working in — without ever letting it modify them.
I built a personal assistant to help me decide where my time goes: for that it needs to know the real state of every project — what changed, what stalled, what the next step is. So it has to see all my repos. But telling an agent "don't touch anything" is a request, not a guarantee. Repiscope makes it a guarantee: the server exposes zero write tools, so the agent structurally cannot modify your repos. And the same periscope helps any coding agent working in project A that needs to know how a part of project B works.
Sandboxes make this worse, not better: mine (rightly) stops the agent from even reading outside the repo it started in without asking. Widening the sandbox would grant write access too. Repiscope is the third way — the agent gets structured, read-only sight of every sibling repo through one MCP server, and the sandbox stays tight.
You're working in project-a and need to pull data from another project's
API. Instead of you digging through that codebase, the agent asks Repiscope
directly:
You: Use Repiscope to find out what kind of data I can retrieve
from billing-api through its API.
Agent: (calls list_projects → sees "billing-api")
(calls project_overview "billing-api" → spots src/routes/)
(calls search "route" project="billing-api")
(calls read_file "billing-api" "src/routes/invoices.py")
billing-api exposes three endpoints: /invoices (list, filterable
by customer and date), /invoices/{id} (full invoice with line
items), and /customers/{id}/balance (current balance). All
responses are JSON; auth is a bearer token.
The agent explored a repo it has no ability to write to. No copy-paste, no "please don't edit anything," no risk.
| Tool | Input | Returns |
|---|---|---|
list_projects() | — | every sibling repo + one-line description |
project_overview(project) | repo name | full overview: purpose, stack, structure, recent commits |
search(query, project?) | text, optional repo | files & lines matching the query |
read_file(project, path) | repo + file path | full file contents (size-capped) |
store_summary(project, summary) | repo + your text | caches an agent-written summary (see below) |
Overviews are cached as markdown and refreshed lazily: on each call Repiscope compares the repo's current git commit hash against the one recorded when the overview was built. Same hash → serve the cache. Different → rebuild just that repo's overview. No cron, no daemons.
Repiscope has no LLM of its own — no API key, no model calls, zero cost. But
it talks to LLMs all day, so it borrows them: when an overview has no fresh
agent-written summary, it ends with a note asking the calling agent to
write one and hand it back via store_summary. The summary then opens every
future overview of that project — written by one agent, read by all the
next — until the repo's next commit marks it outdated and the cycle repeats.
Repiscope is built so that the safe behaviour is not a promise — it's the only behaviour possible:
store_summary, can only write to Repiscope's own cache in
~/.cache/repiscope. An agent cannot misuse a capability that doesn't
exist.privacy.py) is enforced by
every tool: private keys, certificates (.pem, .pfx, .p12, …),
.env* files, keystores, and anything named like a credential never
appear in overviews, trees, search results or file reads.
Honest limit: the filter hides sensitive files — it does not scrub
mentions of e.g. a password pasted inside an ordinary text file.notes.txt → ~/.ssh/id_rsa. Anything whose real
location falls outside the project is invisible to every tool, the secret
filter also checks a link's real target, and path traversal (../) is
refused.--root), and --exclude makes chosen repos fully
invisible — they can't even be resolved by name.~/.cache/repiscope,
never inside your repositories.Every claim above is enforced by the test suite in tests/ — clone the
repo and run pytest to check them yourself.
pip install repiscope
claude mcp add repiscope --scope user -- repiscope --root ~/your/projects/folder
That's it — point --root at the folder containing your repos (not a repo
itself). Optionally hide repos with --exclude repo-a --exclude repo-b.
Works with any MCP client; for Claude Desktop there's also a one-click
.mcpb bundle (build it with mcpb/build.sh).
From source instead:
git clone https://github.com/3xpr1ment/repiscope.git
cd repiscope
python -m venv .venv && .venv/bin/pip install -e .[dev]
.venv/bin/pytest # the security claims, as executable proof
Honesty section — what Repiscope deliberately does not do:
notes.md will not
be scrubbed. The perimeter is yours: only point --root at folders you
are comfortable showing to your agent — whatever the tools can see, your
LLM provider will see too.v0.2.2 — working and dogfooded daily. Four read-only tools plus borrowed-LLM
summaries, lazy cache refresh, sensitive-file filtering, and a test suite
proving the security claims (path traversal, symlink escapes, secret
filtering — see tests/). API may still change.
To be completely clear about authorship: I am not an engineer. Every architecture decision in Repiscope is mine — what it does, what it refuses to do, where the security gates live — but the coding itself is done by Claude (Anthropic's Fable model). My rule for the collaboration: nothing goes in that I don't understand. The commit history carries the co-authorship openly, commit by commit.
mcp-name: io.github.3xpr1ment/repiscope
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.