MCP server that lets local MCP clients run Shipcheck on authorized JavaScript and TypeScript repositories.
Shipcheck scans apps and MCP servers for launch risks such as exposed private-looking env vars, unsigned Stripe webhooks, missing Supabase/Firebase rule evidence, debug routes, missing usage-cost guardrails, missing CI, loose dependencies, thin release docs, missing MCP smoke-test proof, undocumented STDIO execution boundaries, and undocumented remote MCP auth boundaries.
Tool page: https://tateprograms.com/shipcheck.html
Free MCP launch self-check: https://tateprograms.com/mcp-self-check.html
MCP directory launch checklist: https://tateprograms.com/mcp-directory-checklist.html
Paid MCP launch check: https://tateprograms.com/mcp-launch-review.html
Official MCP Registry: https://registry.modelcontextprotocol.io/v0/servers?search=shipcheck
Run directly with npx:
npx --yes shipcheck-mcpAdd this server to an MCP client that supports stdio servers:
{
"mcpServers": {
"shipcheck": {
"command": "npx",
"args": ["--yes", "--package", "shipcheck-mcp", "shipcheck-mcp"]
}
}
}STDIO MCP client config launches a local command. Review the command, args, and any env values before running generated configs, keep the package source trusted, and prefer pinned package versions when a deployment needs repeatability.
scan_repository
{
"root": ".",
"format": "markdown",
"failOn": "medium",
"strict": true
}Formats: text, markdown, json, or sarif.
Severities: info, low, medium, or high.
Shipcheck is defensive static analysis, not a penetration test. It reads local project files, does not modify the repository, does not execute project code, and does not require network access. Run it only on repos you own or are authorized to inspect.
npm install
npm run check