{"version":"1.0","workflow_uuid":"67ac2a2b-e81c-50f9-bb30-0943e7df8787","workflow_title":"mcp-audit — Scan MCP Configs for Secrets & Shadow APIs","recommended_install":{"schema_version":1,"status":"stage","policy":"stage_only","install_mode":"pip","target":"codex","command":"npx -y tokrepo@latest install 67ac2a2b-e81c-50f9-bb30-0943e7df8787 --target codex","dry_run_command":"npx -y tokrepo@latest install 67ac2a2b-e81c-50f9-bb30-0943e7df8787 --target codex --dry-run --json","runtime_commands":{"codex":"npx -y tokrepo@latest install 67ac2a2b-e81c-50f9-bb30-0943e7df8787 --target codex","gemini":"npx -y tokrepo@latest install 67ac2a2b-e81c-50f9-bb30-0943e7df8787 --target gemini","project":"npx -y tokrepo@latest install 67ac2a2b-e81c-50f9-bb30-0943e7df8787"},"prompt":"Install and make this TokRepo asset usable: \"mcp-audit — Scan MCP Configs for Secrets & Shadow APIs\".\n\nPage: \nUUID: 67ac2a2b-e81c-50f9-bb30-0943e7df8787\nTarget adapter: codex\nPolicy/mode: stage_only / pip\n\nRead these machine-facing entry points first:\n- metadata: https://tokrepo.com/metadata/67ac2a2b-e81c-50f9-bb30-0943e7df8787.json\n- install contract: https://tokrepo.com/install-contract/67ac2a2b-e81c-50f9-bb30-0943e7df8787.json\n- install plan: https://api.tokrepo.com/api/v1/tokenboard/workflows/install-plan?uuid=67ac2a2b-e81c-50f9-bb30-0943e7df8787&target=codex\n- raw content: https://tokrepo.com/raw/67ac2a2b-e81c-50f9-bb30-0943e7df8787\n\nCommands:\n- choose the current runtime; do not use unsupported CLI targets.\n- Codex: npx -y tokrepo@latest install 67ac2a2b-e81c-50f9-bb30-0943e7df8787 --target codex\n- Gemini CLI: npx -y tokrepo@latest install 67ac2a2b-e81c-50f9-bb30-0943e7df8787 --target gemini\n- Claude Code / project agent: run npx -y tokrepo@latest install 67ac2a2b-e81c-50f9-bb30-0943e7df8787 from the project root; add `--dry-run --json` first to inspect the plan.\n- add `--dry-run --json` to the chosen command first; after the plan allows it, run the chosen command.\n\nExecution rules:\n1. Run the install command to stage the asset safely.\n2. Read the staged README, install-plan, and entrypoint files.\n3. Activate scripts, MCP config, or global config only after user confirmation.\n4. Verify usability with the install-plan post_verify checks and the asset README.\n\nReport back with changed files, verification result, and how to use the asset next.","next_steps":["Run the install command to stage the asset safely.","Read the staged README, install-plan, and entrypoint files.","Activate scripts, MCP config, or global config only after user confirmation.","Verify usability with the install-plan post_verify checks and the asset README."],"success_check":["The asset is safely staged.","The agent can give clear activation steps from the staged content."]},"install_contract":{"version":"1.0","installReady":false,"title":"mcp-audit — Scan MCP Configs for Secrets & Shadow APIs","summary":"Audit MCP server configs and source trees to find exposed secrets, risky endpoints, and model access. Outputs JSON/CSV/SARIF/CycloneDX AI-BOM for CI gates.","assetType":"MCP Configs","pageUrl":"","sourceUrl":"https://github.com/apisec-inc/mcp-audit","intendedFor":[],"firstActions":[],"agentFirstSteps":[],"targetPaths":[],"verification":[],"startingPoints":[],"example":"","successOutcome":"","boundaries":[],"askUserIf":["the current workspace stack cannot be matched to a safe upstream template","the target path is not the project root, or an existing file should be merged instead of overwritten"]}}