Is your MCP tool over-privileged?

Paste an MCP tools/list response (or a manifest listing tools plus their declared OAuth scopes). mcpscopes statically checks each tool's declared scope against what its name and description say it does — read tools requesting write/admin scope, coarse vs fine-grained scopes, dangerous verbs flagged for review, and the union of every tool's scope (the token's real effective breadth) — against OWASP MCP02:2025 and the OAuth least-privilege principle.

Don't paste manifests containing secrets/keys (API keys, tokens, or other credentials). mcpscopes never stores the raw manifest — only the derived findings — but the analysis still runs on whatever you paste, so scrub secrets first.
Load example:

Runs entirely in your browser first — nothing is uploaded to see the result. Saving a permalink stores only the derived findings, never this pasted text.