Skip to main content
The Model Context Protocol (MCP) lets agents connect to external tools and data sources through a standard interface. Drako integrates with MCP in two directions: it detects MCP server usage during scanning, and it exposes its own MCP server so that MCP-compatible clients can call Drako’s governance APIs directly.

MCP servers in Agent BOM output

When you run drako bom, Drako’s static analysis detects any MCP servers configured in your agent project and includes them in the inventory: 
Agents     3  researcher, writer, reviewer
Tools     12  web_search, file_reader, code_runner, ...
Models     2  gpt-4o, claude-sonnet-4-20250514
MCP        1  server (filesystem)
Prompts    4  system prompts (content hashed, not exposed)
Perms         filesystem, network, code_execution
Framework  crewai 0.86.0
MCP server entries contribute to the permission surface reported in the Perms field. A filesystem MCP server, for example, will surface filesystem in the permissions list, which can trigger relevant scan rules.

Drako’s MCP server

Drako ships a local MCP server (drako-local) that exposes Drako’s governance capabilities to any MCP-compatible client — Claude Desktop, Cursor, or custom agents.

Available tools

The server exposes five tools over the MCP JSON-RPC protocol:
Log an agent action to the immutable audit hash chain.
{
  "agent_did": "did:drako:abc123",
  "action_type": "tool_call",
  "action_description": "Called web_search with query: climate policy 2025",
  "metadata": { "tool_name": "web_search" }
}
Verify an agent’s identity and retrieve its trust score.
{
  "agent_name": "researcher",
  "agent_role": "Searches the web and summarizes findings"
}
Evaluate whether an action is permitted by the active governance policies.
{
  "action": "tool:code_runner",
  "agent_did": "did:drako:abc123",
  "context": { "tool_name": "code_runner", "scope": "default" }
}
Verify the cryptographic integrity of the audit hash chain.
{
  "last_n": 100
}
Check the tenant’s current usage quota against configured limits.
{}

Transports

The server supports two transports:
For local tools like Claude Desktop and Cursor. The server reads JSON-RPC requests from stdin and writes responses to stdout.
from drako.mcp.local_server import run_stdio

run_stdio(
    api_key="your-api-key",
    endpoint="https://api.getdrako.com",
    tenant_id="your-tenant-id",
)

Smithery configuration

Drako’s MCP server is deployable as a container via Smithery. The server accepts two configuration properties:
PropertyRequiredDescription
apiKeyNoYour Drako platform API key. Required for runtime governance features; optional for scan-only use.
policyEndpointNoURL of your Drako backend for policy evaluation and audit logging.
The container listens on port 8000 by default.

Scanning MCP-enabled agents

MCP tool calls go through the same enforcement pipeline as any other tool call. If your agent uses an MCP server, governance rules that apply to network access, filesystem access, or code execution will fire based on the permissions declared by that server. To include MCP server detection in your scan: 
drako scan .
drako bom .  # Shows MCP servers in the inventory

MCP server directory

Drako publishes governance assessments for popular MCP servers at getdrako.com/mcp-directory. Each entry includes:
  • Permission scope (filesystem, network, code execution, etc.)
  • Input validation analysis
  • Governance assessment and grade
Before adding a third-party MCP server to your agent, check the directory to understand its permission surface and any known governance gaps.

Configuring MCP-enabled agents in .drako.yaml

If your agent uses MCP servers, declare them explicitly in .drako.yaml to apply ODD policies:
.drako.yaml
governance_level: balanced

tools:
  filesystem_mcp:
    type: read
    description: "MCP filesystem server — read-only access"
  code_mcp:
    type: execute
    description: "MCP code execution server"

policies:
  odd:
    researcher:
      permitted_tools: [filesystem_mcp]
      forbidden_tools: [code_mcp]
This prevents the researcher agent from calling the code execution MCP server even if the server is available in the environment.
MCP servers that expose execute or write capabilities will trigger CRITICAL scan findings (SEC-005) if they are reachable by any agent without an explicit policy permitting the access.

Build docs developers (and LLMs) love

Get started for freeTalk to us