Connect agents to your tools —without opening a hole.
An MCP server makes an agent dramatically more capable — or opens a security hole. Over-broad scopes, secrets in tool descriptions, unvalidated inputs, injection-prone designs.
This kit ships the build workflow, the security spine, and a Pass/Fix/Block tool linter — so the useful kind of server ships without the holes.
Everyone’s connecting agents via MCP. Far fewer are doing it safely.
The failure modes are mechanical and common: a token scoped to admin “to be safe,” an API key pasted into a tool description the model and client can see, inputs accepted without validation, and descriptions or returned data an attacker can turn into instructions.
Safe by default isn’t a feature you add at the end — it’s a discipline that runs through every phase of the build.
An MCP server lets an agent discover and invoke your tools and data — a step-change in capability, over stdio (local) or streamable HTTP (remote).
Over-broad scopes, secrets in tool descriptions, unvalidated inputs, injection-prone designs — the failure modes are mechanical and common.
Least privilege, no secrets in descriptions, validated inputs, gated destructive actions, untrusted external data — built into the workflow, not bolted on.
The MCP spec and SDKs evolve — re-verify transport guidance, annotation names, and SDK APIs against the current spec at modelcontextprotocol.io at use.
Would this tool definition ship?
Describe a tool and set its scope, validation, and auth — see the verdict the kit returns, the same Pass / Fix / Block logic as the included mcpcheck.py.
Pass
- Least-privilege scope, validated inputs, scoped auth, honest description.
Build MCP servers that are safe by default.
A grounded four-phase build workflow, tool-design and security patterns, a Tool Inventory + Security Checklist workbook, and this linter.
Get the MCP Server & Connector Builder Kit — $99A clean lint is necessary, not sufficient — sensitive systems still need a real threat model. Guidance, not a security audit.
Research & plan, implement, review & test, evaluate.
A grounded four-phase loop with the security spine running through all of it — the backbone of the playbook, patterns, and linter.
Map the tool surface before you write code: what an agent actually needs, the data and actions to expose, and the narrowest scope that does the job.
Build with typed input/output schemas (TypeScript SDK + Zod, or Python FastMCP + Pydantic) and the standard annotations — readOnly, destructive, idempotent, openWorld.
Inspect with the MCP Inspector, run the security checklist, and lint each tool Pass / Fix / Block before anything ships.
Test the server against realistic agent tasks — does the tool surface actually let an agent succeed, without footguns or surprises.
A playbook, patterns, a workbook, and a tool linter.
MCP in a minute, the four-phase workflow, designing tools agents can use, the security spine, and prompt-injection-aware design.
Tool-design and security patterns — schema shapes, annotation usage, scope and auth patterns, and injection-aware description rules.
A tool inventory with a Pass / Fix / Block verdict per tool, a security checklist that rolls up to Secure / Gaps, and a dashboard.
Lint a tool definition Pass / Fix / Block — a leaked secret, over-broad scope, or dangerous capability is a hard Block. Zero dependencies; runs keyless.
The editable term lists behind the linter — secret patterns, injection signals, and over-promise phrases. Tune them to your stack.
Security guidance — honest about what it isn’t.
- Not a security audit
The linter catches the mistakes that ship most often. A clean result is necessary, not sufficient — sensitive systems still need a real threat model and review.
- Least privilege, always
The default that prevents most damage: scope to the narrowest token that works, gate destructive actions, and never put a secret in a description.
- Treat external data as untrusted
Returned data and tool descriptions can carry injected instructions. The patterns are built to assume that, not hope otherwise.
- Re-verify the spec
MCP and its SDKs move fast. Check transport guidance, annotation names, and SDK APIs against the current spec and READMEs before you ship.
Engineers wiring agents to real tools and data.
Developers and platform teams building MCP servers and connectors — who want the useful kind of capability without shipping a leaked secret or an over-broad scope.
Prompt Injection Red-Team Kit
$99Build it safe, then try to break it. The Red-Team Kit attacks your tool surface the way an adversary would — the offensive complement to this kit's defensive build discipline.
Agent Orchestration Cookbook
$79Once your tools are safe, wire them into real multi-agent patterns. The Cookbook ships runnable orchestration recipes — the layer above a single connector.
Technical Documentation Engine
$99A connector your team can't use is a liability. The Documentation Engine turns the server into clear, current docs — with a runnable CI gate that fails on stale or missing reference.
The questions engineers actually ask before they ship a connector.
A kit for building Model Context Protocol (MCP) servers that are useful to agents and safe by default. It includes a grounded four-phase build workflow (Research & plan, Implement, Review & test, Evaluate), tool-design and security patterns, a Tool Inventory + Security Checklist workbook, and mcpcheck.py — a linter that returns Pass / Fix / Block on a tool definition, where a leaked secret, an over-broad scope, or a dangerous capability is a hard Block.
The mechanical, frequent ones: a token scoped to admin 'to be safe', an API key pasted into a tool description (which the model and clients can see), inputs accepted without validation, and tool descriptions or returned data an attacker can turn into instructions. The kit's security spine — least privilege, no secrets in descriptions, validated inputs, gated destructive actions, honest descriptions, untrusted external data — runs through every phase.
The recommended stacks: TypeScript SDK with Zod, or Python FastMCP with Pydantic — typed input/output schemas and the standard annotations (readOnly, destructive, idempotent, openWorld). It covers both stdio (local) and streamable HTTP (remote) transports, and review/test with the MCP Inspector. The MCP spec and SDKs evolve, so re-verify transport guidance and SDK APIs against the current spec at modelcontextprotocol.io at use.
Hand mcpcheck.py a tool definition (description, scope, validation, auth) and it returns Pass / Fix / Block — a leaked secret, an over-broad scope, or an injection-prone capability is a hard Block; missing validation or auth is a Fix. It is a heuristic linter, not a security audit: its term lists are editable in the config, and a clean result is necessary, not sufficient. Sensitive systems still need a real threat model.
Because tool descriptions are shown to the model and the client — anything you put there is effectively exposed. Credentials belong in server environment variables, never in a description or returned payload. The linter treats a secret in a description as a hard Block for exactly this reason.
Build the server here, then pressure-test it. Pair it with the Prompt Injection Red-Team Kit (try to break what you built), the Agent Orchestration Cookbook (wire the tools into multi-agent patterns), and the Technical Documentation Engine (document the connector for your team).
An MCP Build Playbook, Templates (tool-design and security patterns), the MCP Builder Workbook (Excel: tool inventory + security checklist), mcpcheck.py, and an editable config.
Useful — and safe.
Build MCP servers an agent can actually use, without the leaked secrets and over-broad scopes that ship most often. A grounded workflow, the security spine, and a Pass/Fix/Block linter. One-time $99, yours to keep.
Sold by RedHub AI LLC · Secured by Stripe · Security guidance, not a security audit · redhub.ai