Overview
The audit command inspects exported tool manifests or tool lists and flags risky database MCP patterns. It does not call business tools and does not prove that a server is secure.
High-risk findings include execute_sql/run_query tools, write tools that accept arbitrary SQL, model-controlled schema/table/column names, model-controlled tenant_id, model-callable approval/commit tools, and write tools with no visible proposal boundary.
Use the audit to start a review. The real protection comes from reviewed semantic capabilities, trusted context, proposals, conflict guards, idempotency, and receipts.
Developer notes
- Do not call business tools during audit.
- Do not rely on MCP annotations as enforcement.
- Treat audit output as review input, not certification.
- Fix raw SQL and model-controlled tenant scope before allowing database actions.