A quieter way
to keep your MCP
configurations clean.
Paste a config. We parse it locally, flag mistakes, sniff out hardcoded secrets, and hand back a tidy cleanliness score — all without your JSON ever leaving the browser.
Drop in your mcp.json
1
Paste or upload an MCP configuration. Your score and insights will appear here.
Important
mcpcleaner is a best-effort heuristic tool offered as-is. Validation uses pattern matching and common-sense rules — not a formal schema — and may produce false positives or miss real issues. You are solely responsible for reviewing, testing and deploying your configuration. If we detect something that looks like a hardcoded secret, treat the file as compromised and rotate the credential. Read the full disclaimer & privacy policy before relying on anything here.
Small checks, big peace of mind.
Structural
sanity
Parses JSON with precise error locations. Normalizes across mcpServers / servers / single-server shapes. Flags missing transports, type mismatches, and malformed args.
Secret
sniffing
Pattern-matches against common hardcoded credential shapes — long-form API keys, personal access tokens, cloud access IDs, JWT-shaped blobs. Suggests moving them to env var references.
Hygiene
scoring
A single number out of 100, a letter grade, and a one-word verdict. Weighted by severity so a missing command hurts more than an unusual name.
Shell-danger
detection
Looks for curl | sh pipelines, sudo, rm -rf /, and other patterns that have no business living in a config file.
Transport
review
Validates URLs, warns about plaintext http://, catches dual stdio+HTTP declarations, flags tilde paths that launchers won't expand.
Stays on your
machine.
Zero network calls. No telemetry. Close the tab and it's gone. That's not a promise on the roadmap — it's how the tool works today.
How the
checker reads
your config.
Parse & locate
We run the JSON through the browser's native parser. If it breaks, we extract line and column from the error so you can jump straight to it.
Normalize the shape
MCP configs come in several shapes depending on the client. We detect mcpServers, servers, single-server, and flat-name forms — then reason about the contents uniformly.
Walk each server
For every server we check transport, args types, env block, command paths, and scan env values against a catalog of known credential formats.
Weigh & score
Errors count heaviest, warnings moderate, info-notes lightly. A small bonus applies if you have at least one working server with no errors. Result: 0–100 plus a letter grade.
Your config file is
the front door.
Secrets leak from configs
MCP configs are often checked into dotfiles, shared in screenshots, pasted in issues. A single hardcoded token can outlive the person who wrote it.
Typos cost evenings
A stray comma, an args array that's secretly a string, a typo'd package name — most "MCP won't start" hours are spent on small, findable mistakes.
Shell is a weapon
Anything you put in command runs with your privileges. A config that pipes curl into bash can wreck a laptop in seconds.
Hygiene compounds
Clean configs stay readable, reviewable, and swappable. Messy ones become untouchable. Start clean, stay clean — that's the whole pitch.