Server data from the Official MCP Registry
Static worst-case token-budget analysis for LLM-agent workflows + signed budget certificates.
Static worst-case token-budget analysis for LLM-agent workflows + signed budget certificates.
costwright-mcp is a well-structured MCP server with proper authentication, careful input validation, and appropriate permission scoping. The code implements robust safeguards against path traversal, archive bombs, and symlink exploits. Minor code quality issues around error handling breadth and environment variable documentation do not materially impact security. Supply chain analysis found 3 known vulnerabilities in dependencies (0 critical, 3 high severity). Package verification found 1 issue.
3 files analyzed · 8 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: COSTWRIGHT_API_KEY
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-hernaninverso-costwright-mcp": {
"env": {
"COSTWRIGHT_API_KEY": "your-costwright-api-key-here"
},
"args": [
"-y",
"costwright-mcp"
],
"command": "npx"
}
}
}From the project's GitHub README.
Static worst-case token-budget analysis for LLM-agent workflows. Point it at a Python repo using LangGraph / CrewAI / OpenAI-Agents-SDK and it reports — by pure AST analysis, without running the code — the worst-case budget ceiling of every workflow graph: which units are certifiable / default-dependent / non-certifiable / runaway, and which LLM calls have no token cap. Optionally issues an Ed25519-signed budget certificate logged to a public transparency log. Wraps the hosted costwright API; backed by a Lean 4 cost-soundness theorem.
Use it before deploying an agent workflow to catch missing token caps and
while True:runaway drivers — the budget version of a type check.
| Tool | What it does | Key? |
|---|---|---|
costwright_check(repo_path, policy?) | Static budget analysis of a local repo. Returns pass/fail + counts of certifiable/default-dependent/non-certifiable/runaway units. | yes |
costwright_certify(repo_path, policy?, label?) | Issues a signed, logged budget certificate. Returns cert_id + signature + verify_url. | yes |
costwright_verify(cert_id) | Verify a certificate by id (valid/expired/revoked, signature check). | public |
costwright_pubkey() | Active Ed25519 public keys for offline verification. | public |
{
"mcpServers": {
"costwright": {
"command": "npx",
"args": ["-y", "costwright-mcp"],
"env": { "COSTWRIGHT_API_KEY": "your_rapidapi_key" }
}
}
}
The key is sent as X-RapidAPI-Key (RapidAPI channel) by default; set COSTWRIGHT_DIRECT=1 to send
it as Authorization: Bearer for the direct channel. verify and pubkey work with no key.
check/certify build a .py-only gzip archive of repo_path client-side (excluding venv,
node_modules, tests, etc.) and send it for analysis — your source is uploaded to the hosted API.
See https://eleata.io/privacy/. MIT licensed.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.