curatedmcp
v2.1.1
Published
The CuratedMCP agent — discover, run, audit, and govern every MCP server your AI tools (Claude, Cursor, Windsurf, Copilot, Gemini) use
Maintainers
Readme
curatedmcp
The CuratedMCP Agent. One CLI to discover, run, audit, and govern every MCP server your AI tools (Claude, Cursor, Windsurf, Copilot, Gemini) use.
# 10-second risk scan of your machine — no signup
npx curatedmcp auditPlug it in once. Add servers anytime. Audit and govern them from one place.
What you get
| Command | What it does |
| --- | --- |
| curatedmcp audit | Scan your MCP configs for risky servers (high/medium/low). Zero auth, instant value. |
| curatedmcp (no args) | Run as an MCP hub server over stdio for Claude, Cursor, Windsurf, etc. |
| curatedmcp add <slug> | Add a server from the CuratedMCP catalog to your stack. |
| curatedmcp remove <slug> | Remove a server from your stack. |
| curatedmcp list | Show your current stack. |
| curatedmcp init | Print the config snippet to drop into your AI client. |
| curatedmcp guard -- <cmd> | Run a server behind the local action firewall. |
| curatedmcp login | Authenticate the agent to your CuratedMCP account. |
| curatedmcp sync | Pull your team's registry config and push audit results. |
1. Audit (the wedge — start here)
npx curatedmcp auditScans every MCP config file on your machine (Claude Desktop, Cursor, Windsurf, Claude Code, …), classifies each server against the CuratedMCP catalog, and flags:
- 🔴 HIGH — unverified or known-risky servers with credentials
- 🟡 MEDIUM — verified servers running outside catalog defaults
- 🟢 VERIFIED — known-good catalog servers
No signup, no cloud, no data leaves your machine. Logged in? Add --sync to push the result to your dashboard.
2. Run as the MCP Hub
If you use MCP servers across multiple AI clients, you've felt this pain: configure GitHub MCP in Claude Desktop, then re-do it in Cursor, then in Windsurf. New agent ships? Re-paste every config.
The agent fixes that. It's one MCP entry that fans out to every server you've added, in every AI client.
Claude Cursor Windsurf Copilot Gemini
\ \ | / /
┌──────────────────────────┐
│ curatedmcp │ ← one config in each agent
│ (the MCP hub) │
└────┬──────┬──────┬───────┘
│ │ │
GitHub Postgres Stripe ← `add`'d once, available everywhereAdd it to your AI client
{
"mcpServers": {
"curatedmcp": {
"command": "npx",
"args": ["-y", "curatedmcp"]
}
}
}| Client | Path |
| --------------- | --------------------------------------------------------------------- |
| Claude Desktop | ~/Library/Application Support/Claude/claude_desktop_config.json (mac) / %APPDATA%\Claude\claude_desktop_config.json (win) |
| Cursor | ~/.cursor/mcp.json |
| Windsurf | ~/.codeium/windsurf/mcp_config.json |
| Claude Code | ~/.claude/mcp.json (or .claude/mcp.json per-project) |
Add servers to your stack
npx curatedmcp add github # prompts for GITHUB_TOKEN
npx curatedmcp add postgres --env DATABASE_URL=postgres://...
npx curatedmcp listRestart your AI client
Tools appear with a <slug>__ prefix:
github__create_issuepostgres__queryfilesystem__read_file
3. Guard (local action firewall)
npx curatedmcp guard -- npx -y @modelcontextprotocol/server-githubWraps an MCP server with a local policy engine that gates every tools/call against
~/.curatedmcp/guard-policy.json. Default policy allows read, prompts on write, blocks destructive.
npx curatedmcp guard --dashboard --port 7878 -- npx -y @some/server
# Then open http://localhost:7878 for the live action log4. Login + sync (for teams)
Once you have a CuratedMCP account, link the CLI to it:
npx curatedmcp login # paste a registry key from your dashboard
npx curatedmcp sync # pull team registry config + push audit results
npx curatedmcp sync --team acme-eng # pick a specific team if you're in more than oneSync pulls the locked-down server list approved by your team and merges it into your local stack — so every developer's machine runs the same vetted set of servers.
Config files
~/.curatedmcp/stack.json — your stack, plain JSON, hand-editable, version-controllable:
{
"version": 1,
"entries": [
{
"slug": "github",
"name": "GitHub",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": { "GITHUB_TOKEN": "ghp_xxxxxxxxxxxx" },
"addedAt": "2026-05-01T10:14:00.000Z"
}
]
}Set "disabled": true on an entry to skip it without removing it.
Other files (created on first use):
~/.curatedmcp/auth.json— login token (mode 0600)~/.curatedmcp/guard-policy.json— firewall policy~/.curatedmcp/launcher.json— anonymous client UUID
In-agent discovery
The agent itself exposes discovery tools to your AI client, so you can ask:
"Find me an MCP server for Postgres." "What's the best Stripe MCP?" "Add the Postgres MCP server to my stack."
The agent uses search_servers, get_server_details, and add_to_stack to do all of that without you leaving the chat.
Privacy
- All config is local at
~/.curatedmcp/. No cloud sync unless youlogin. - Anonymous telemetry only (event names like "search", "add"). Disable with
--no-telemetryorCURATOR_TELEMETRY=false. - Audit results stay on your machine unless you
loginand run--sync.
Compatibility
- Works with Claude Desktop, Claude Code, Cursor, Windsurf, Copilot, Gemini, OpenAI Agents — anything that supports MCP over stdio.
- Node.js ≥ 18.
Migrating from the old packages
The agent replaces three earlier packages, which are now deprecated:
| Old | New |
| --- | --- |
| @curatedmcp/launcher | curatedmcp (no args) / curatedmcp add / curatedmcp list |
| @curatedmcp/auditor (aka mcp-audit) | curatedmcp audit |
| @curatedmcp/sentinel (aka sentinel) | curatedmcp guard |
A launcher bin alias is kept for back-compat.
Links
MIT licensed.
