Install both tools in 5 minutes
End-to-end walkthrough. No build step, no package manager, no cloud account. Every command runs locally.
0. Prerequisites
- Node 22+ — for built-in
node:sqlite. Node 25+ recommended (flag-free). - Claude Code — optional, only needed for the skill install path.
- gh CLI — optional, raises GHSA rate limits when present.
1. Scan your current project
One command. No clone, no global install. Detects your stack from manifests and prints what to install. The offline gate is verify --offline; --no-audit still checks live registry metadata but skips advisory feeds.
npx -y @froggychips/mcp-vault scan --cwd .
Prefer it on PATH for repeated use: npm i -g @froggychips/mcp-vault, then drop the npx -y prefix.
2. Check local readiness
Doctor checks Node, optional helper CLIs, project MCP config, and global Claude MCP config. It never prints token values.
npx -y @froggychips/mcp-vault doctor
3. Optional — install the vault as a Claude Code skill
If you want Claude to call the vault by itself when you ask “what MCP should I add?”, drop the skill folder into your skills directory.
git clone https://github.com/froggychips/mcp-skills-vault.git
mkdir -p ~/.claude/skills
cp -r mcp-skills-vault/mcp-ecosystem-intelligence ~/.claude/skills/
4. Verify the vault DB offline
Use this for air-gapped smoke checks. It validates stored pins only and makes no registry/advisory network calls.
npx -y @froggychips/mcp-vault verify --offline
5. Install mcp-trace
Same shape: clone, verify version. Zero npm deps.
git clone https://github.com/froggychips/mcp-trace.git
cd mcp-trace
node bin/mcp-trace.cjs --version
6. Wrap an MCP server with trace
Edit your project’s .mcp.json (or ~/.claude.json). Point command at mcp-trace, with the real server after --.
{
"mcpServers": {
"github": {
"command": "node",
"args": [
"/abs/path/to/mcp-trace/bin/mcp-trace.cjs",
"proxy", "github", "--",
"docker", "run", "-i", "--rm",
"-e", "GITHUB_PERSONAL_ACCESS_TOKEN",
"ghcr.io/github/github-mcp-server@sha256:..."
],
"env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}" }
}
}
}
Restart Claude Code so it picks up the new command.
7. After a session, look at what happened
The SQLite file at ~/.mcp-trace/traces.db has every JSON-RPC frame’s metadata. Three subcommands query it.
node bin/mcp-trace.cjs stats
node bin/mcp-trace.cjs tools github
node bin/mcp-trace.cjs tokens github
You now know which tools your servers actually use, their p50/p95 latency, error rates, and a rough token-cost estimate.
8. Optional: audit your installed setup
Diff what’s actually installed against the vault DB. Flags drift, untrusted entries, unbounded heavy servers, and scope issues.
node ~/.claude/skills/mcp-ecosystem-intelligence/scripts/audit_setup.cjs
Both tools have useful local/offline paths. The vault’s advisory feeds and
mcp-trace’s registry-aware token estimates are additive
— the offline gate still runs.