Features · MCP & external access

MCPs, Skills, tools, domains.
Oh my.

Every MCP server, tool, Skill, plugin, and external domain your agents touched — one inventory, with who reached it, how often, and whether anyone has signed off. The answer to “what is this thing even talking to?”

InstallSee the inventory

Free to start · Rolls up from your session reports

External access

90-day observed window · generated now · organization-wide

External domains
47
MCP servers
12
MCP tools
31
Skills
9
Needs review
3
All 99MCP servers 12MCP tools 31Skills 9Plugins 4External domains 47Needs review 3Blocked 1
ResourceKindStatusSessionsCallsReached byLast
github.comdomain · git + api.github.comDomainSanctioned412,890team12m
web-searchmcp_server:web-searchMCP serverSanctioned221,2046 engineers1h
api.stripe.comdomain · paymentsDomainSanctioned14312alex, maya2h
api.example-vendor.comdomain · not on allowlistDomainNeeds review347maya2d
filesystemmcp_server:filesystemMCP serverSanctioned186425 engineers3h
pdf-exportskill:pdf-exportSkillSanctioned753alex1d
browser_navigatemcp_tool:playwright/browser_navigateMCP toolUnreviewed18260maya4h
unknown-cdn.iodomain · first seen this weekDomainBlocked12sam3d

What it is

An external-access report is the running inventory of every dependency your agents pull in — MCP servers and tools, Skills, plugins, and the domains they call — rolled up from session telemetry. Nothing to instrument. It fills in as your agents work.

The inventory

Everything your agents reach, in one place.

One row per dependency — sorted, filterable by kind, and tagged with a review status. Skim the whole surface in a minute; drill into anything that isn’t signed off yet.

External access

90-day observed window · generated now · organization-wide

External domains
47
MCP servers
12
MCP tools
31
Skills
9
Needs review
3
All 99MCP servers 12MCP tools 31Skills 9Plugins 4External domains 47Needs review 3Blocked 1
ResourceKindStatusSessionsCallsReached byLast
github.comdomain · git + api.github.comDomainSanctioned412,890team12m
web-searchmcp_server:web-searchMCP serverSanctioned221,2046 engineers1h
api.stripe.comdomain · paymentsDomainSanctioned14312alex, maya2h
api.example-vendor.comdomain · not on allowlistDomainNeeds review347maya2d
filesystemmcp_server:filesystemMCP serverSanctioned186425 engineers3h
pdf-exportskill:pdf-exportSkillSanctioned753alex1d
browser_navigatemcp_tool:playwright/browser_navigateMCP toolUnreviewed18260maya4h
unknown-cdn.iodomain · first seen this weekDomainBlocked12sam3d

Security · governance

Catch what you never sanctioned.

Every new domain and tool lands as unreviewed until someone signs off. Filter to what needs a decision — vet it, allowlist it, or block it — before it becomes the thing nobody knew about.

  • Off-allowlist domains flagged the first time they’re hit
  • One-click sanction, review, or block
  • The answer when the CISO asks “what are we talking to?”

Filter · needs review & blocked

api.example-vendor.comDomainNeeds review47
browser_navigateMCP toolUnreviewed260
unknown-cdn.ioDomainBlocked2

Engineering · Skills

The Skills your team leans on.

Which Skills your agents actually pull in, ranked by use — so leads can see what's catching on, standardize the winners into the org registry, and spot anything spreading without review.

  • Ranked by sessions and calls
  • Promote the ones catching on into the org registry
  • Spot Skills spreading without review

Skills · most used · 90-day window

SkillSessionsCalls
code-reviewskill:code-review411,180
test-runnerskill:test-runner33940
pdf-exportskill:pdf-export18212
schema-migrateskill:schema-migrate796

At a glance

Nothing reaches out unseen.

Directional figures from a week of rollup — the point is that every one of them is accounted for.

47
external domains reached, all catalogued
12
MCP servers in use across the org
9
Skills your agents pulled in
3
need a review — surfaced, not buried
What’s most intriguing is seeing what’s on the sanctions list — we’ve told our team these are the safest tools to use, and seeing what people are using on their own would be really interesting.

Head of Security · early-stage SaaS

Get started

See what your agents are reaching for.

One command. The inventory fills in as your agents work — free to start.

curl -fsSL https://www.backplanes.com/spotlight/install.sh | sh
Install Spotlight