MCP6 min read

Running OverlayRiskWitness from the MCP server

OverlayRiskWitness Team
Evidence engineering ·

OverlayRiskWitness ships as a Model Context Protocol server, so an AI agent can run a witness, read findings, and trigger a packet without leaving its toolchain. Here is the setup.

The Model Context Protocol (MCP) lets an AI client call external tools through a standard interface. OverlayRiskWitness exposes its witness contract as an MCP server, so an agent can scan a URL and reason over the findings the same way it would call any other tool.

Two transports

You can run the server locally over stdio for a desktop client, or hit the hosted Streamable-HTTP endpoint at POST /mcp. Both expose the same witness tool; the hosted endpoint is stateless and guarded the same way the public /api/witness route is.

local stdio configjson
{
  "mcpServers": {
    "overlayrisk-witness": {
      "command": "node",
      "args": ["./app/bin/start-mcp.js"],
      "env": { "APP_URL": "https://overlayrisk.com" }
    }
  }
}

Calling the witness tool

The tool takes a public URL and returns the same payload as the REST endpoint: the overlay vendor detected, how many claims were tested, the first finding in full, and a count of the locked findings behind the $49 packet.

Registry listings

The server is published to the official MCP registry, Glama, and npm, with a hosted Streamable-HTTP endpoint for Smithery. An agent can discover it without any manual wiring.

Because the witness is read-only and never mutates the target site, it is safe to hand to an autonomous agent — the worst it can do is load a public page twice and report what an accessibility engine saw.