Yes, Costwright is free to use.

How do I install Costwright?

Costwright is a local plugin. Install it using npm package: costwright-mcp and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

Is Costwright safe to use?

Costwright was flagged by MCP Marketplace's security scan, scoring 4.8/10 (high risk). It has 3 high or critical findings to review. Review the security report on this page carefully before installing it.

What credentials does Costwright need?

Costwright requires the following credentials or environment variables: COSTWRIGHT_API_KEY. You can find setup instructions on the server detail page.

What AI apps work with Costwright?

Costwright uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Costwright MCP Server

by Hernaninverso

Developer ToolsUse Caution4.8MCP RegistryLocal

Free

Server data from the Official MCP Registry

Static worst-case token-budget analysis for LLM-agent workflows + signed budget certificates.

About

Static worst-case token-budget analysis for LLM-agent workflows + signed budget certificates.

Security Report

4.8

Use Caution4.8High Risk

costwright-mcp is a well-structured MCP server with proper authentication, careful input validation, and appropriate permission scoping. The code implements robust safeguards against path traversal, archive bombs, and symlink exploits. Minor code quality issues around error handling breadth and environment variable documentation do not materially impact security. Supply chain analysis found 3 known vulnerabilities in dependencies (0 critical, 3 high severity). Package verification found 1 issue.

3 files analyzed · 8 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

File System Read

Reads files on your machine. Normal for tools that analyze or process local data.

HTTP Network Access

Connects to external APIs or services over the internet.

env_vars

Check that this permission is expected for this type of plugin.

What You'll Need

Set these up before or after installing:

API key for costwright (RapidAPI key or direct Bearer). Only needed for check/certify; verify/pubkey are public.Required

Environment variable: COSTWRIGHT_API_KEY

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-hernaninverso-costwright-mcp": {
      "env": {
        "COSTWRIGHT_API_KEY": "your-costwright-api-key-here"
      },
      "args": [
        "-y",
        "costwright-mcp"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

costwright — MCP server

Static worst-case token-budget analysis for LLM-agent workflows. Point it at a Python repo using LangGraph / CrewAI / OpenAI-Agents-SDK and it reports — by pure AST analysis, without running the code — the worst-case budget ceiling of every workflow graph: which units are certifiable / default-dependent / non-certifiable / runaway, and which LLM calls have no token cap. Optionally issues an Ed25519-signed budget certificate logged to a public transparency log. Wraps the hosted costwright API; backed by a Lean 4 cost-soundness theorem.

Use it before deploying an agent workflow to catch missing token caps and while True: runaway drivers — the budget version of a type check.

Tools

Tool	What it does	Key?
`costwright_check(repo_path, policy?)`	Static budget analysis of a local repo. Returns pass/fail + counts of certifiable/default-dependent/non-certifiable/runaway units.	yes
`costwright_certify(repo_path, policy?, label?)`	Issues a signed, logged budget certificate. Returns cert_id + signature + verify_url.	yes
`costwright_verify(cert_id)`	Verify a certificate by id (valid/expired/revoked, signature check).	public
`costwright_pubkey()`	Active Ed25519 public keys for offline verification.	public

Setup

{
  "mcpServers": {
    "costwright": {
      "command": "npx",
      "args": ["-y", "costwright-mcp"],
      "env": { "COSTWRIGHT_API_KEY": "your_rapidapi_key" }
    }
  }
}

The key is sent as X-RapidAPI-Key (RapidAPI channel) by default; set COSTWRIGHT_DIRECT=1 to send it as Authorization: Bearer for the direct channel. verify and pubkey work with no key.

check/certify build a .py-only gzip archive of repo_path client-side (excluding venv, node_modules, tests, etc.) and send it for analysis — your source is uploaded to the hosted API. See https://eleata.io/privacy/. MIT licensed.

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Fetch

Free

by Modelcontextprotocol · Developer Tools

Web content fetching and conversion for efficient LLM usage

Git

Free

by Modelcontextprotocol · Developer Tools

Read, search, and manipulate Git repositories programmatically

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

Costwright MCP Server

About

Security Report

Findings (8)Action required

Permissions Required

What You'll Need

How to Install

Documentation

costwright — MCP server

Tools

Setup

Reviews

No reviews yet

More Developer Tools MCP Servers

Fetch

Git

Toleno

mcp-creator-python

MarkItDown

MCP Marketplace