analyze-codebase-for-mcp

Analyze an arbitrary codebase to identify functions, APIs, and data sources suitable for exposure as MCP tools, producing a tool specification document. Use when planning an MCP server for an existing project, auditing a codebase before wrapping it as an AI-accessible tool surface, comparing what a codebase can do versus what is already exposed via MCP, or generating a tool spec to hand off to scaffold-mcp-server.

9 stars

Best use case

analyze-codebase-for-mcp is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Analyze an arbitrary codebase to identify functions, APIs, and data sources suitable for exposure as MCP tools, producing a tool specification document. Use when planning an MCP server for an existing project, auditing a codebase before wrapping it as an AI-accessible tool surface, comparing what a codebase can do versus what is already exposed via MCP, or generating a tool spec to hand off to scaffold-mcp-server.

Teams using analyze-codebase-for-mcp should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/analyze-codebase-for-mcp/SKILL.md --create-dirs "https://raw.githubusercontent.com/pjt222/agent-almanac/main/i18n/caveman-lite/skills/analyze-codebase-for-mcp/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/analyze-codebase-for-mcp/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How analyze-codebase-for-mcp Compares

Feature / Agentanalyze-codebase-for-mcpStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Analyze an arbitrary codebase to identify functions, APIs, and data sources suitable for exposure as MCP tools, producing a tool specification document. Use when planning an MCP server for an existing project, auditing a codebase before wrapping it as an AI-accessible tool surface, comparing what a codebase can do versus what is already exposed via MCP, or generating a tool spec to hand off to scaffold-mcp-server.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Analyze Codebase for MCP

Scan a codebase to discover functions, REST endpoints, CLI commands, and data access patterns that are good candidates for MCP tool exposure, then produce a structured tool specification document.

## When to Use

- Planning an MCP server for an existing project and need to know what to expose
- Auditing a codebase before wrapping it as an AI-accessible tool surface
- Comparing what a codebase can do versus what is already exposed via MCP
- Generating a tool specification document to hand off to `scaffold-mcp-server`
- Evaluating whether a third-party library is worth wrapping as MCP tools

## Inputs

- **Required**: Path to the codebase root directory
- **Required**: Target language(s) of the codebase (e.g., TypeScript, Python, R, Go)
- **Optional**: Existing MCP server code to compare against (gap analysis)
- **Optional**: Domain focus (e.g., "data analysis", "file operations", "API integration")
- **Optional**: Maximum number of tools to recommend (default: 20)

## Procedure

### Step 1: Scan Codebase Structure

1.1. Use `Glob` to map the directory tree, focusing on source directories:
   - `src/**/*.{ts,js,py,R,go,rs}` for source files
   - `**/routes/**`, `**/api/**`, `**/controllers/**` for endpoint definitions
   - `**/cli/**`, `**/commands/**` for CLI entry points
   - `**/package.json`, `**/setup.py`, `**/DESCRIPTION` for dependency metadata

1.2. Categorize files by role:
   - **Entry points**: main files, route handlers, CLI commands
   - **Core logic**: business logic functions, algorithms, data transformers
   - **Data access**: database queries, file I/O, API clients
   - **Utilities**: helpers, formatters, validators

1.3. Count total files, lines of code, and exported symbols to gauge project size.

**Got:** A categorized file inventory with role annotations.

**If fail:** If the codebase is too large (>10,000 files), narrow the scan to specific directories or modules using the domain focus input. If no source files are found, verify the root path and language parameters.

### Step 2: Identify Exposed Functions and Endpoints

2.1. Use `Grep` to find exported functions and public APIs:
   - TypeScript/JavaScript: `export (async )?function`, `export default`, `module.exports`
   - Python: functions not prefixed with `_`, `@app.route`, `@router`
   - R: functions listed in NAMESPACE or `#' @export` roxygen tags
   - Go: capitalized function names (exported by convention)

2.2. For each candidate function, extract:
   - **Name**: function or endpoint name
   - **Signature**: parameters with types and defaults
   - **Return type**: what the function produces
   - **Documentation**: docstrings, JSDoc, roxygen, godoc
   - **Location**: file path and line number

2.3. For REST APIs, additionally extract:
   - HTTP method and route pattern
   - Request body schema
   - Response shape
   - Authentication requirements

2.4. Build a candidate list sorted by potential utility (public, documented, well-typed functions first).

**Got:** A list of 20-100 candidate functions/endpoints with extracted metadata.

**If fail:** If few candidates are found, broaden the search to include internal functions that could be made public. If documentation is sparse, flag this as a risk in the output.

### Step 3: Evaluate MCP Suitability

3.1. For each candidate, assess against MCP tool criteria:

   - **Input contract clarity**: Are parameters well-typed and documented? Can they be described in a JSON Schema?
   - **Output predictability**: Does the function return structured data (JSON-serializable)? Is the return shape consistent?
   - **Side effects**: Does the function modify state (files, database, external services)? Side effects must be clearly labeled.
   - **Idempotency**: Is the operation safe to retry? Non-idempotent tools need explicit warnings.
   - **Execution time**: Will it complete within a reasonable timeout (< 30 seconds)? Long-running operations need async patterns.
   - **Error handling**: Does it throw structured errors or fail silently?

3.2. Score each candidate on a 1-5 scale:
   - **5**: Pure function, typed I/O, documented, fast, no side effects
   - **4**: Well-typed, documented, minor side effects (e.g., logging)
   - **3**: Reasonable I/O contract but needs wrapping (e.g., returns raw objects)
   - **2**: Significant side effects or unclear contract, needs substantial adaptation
   - **1**: Not suitable without major refactoring

3.3. Filter candidates to those scoring 3 or above. Flag score-2 items as "future candidates" requiring refactoring.

**Got:** A scored and filtered candidate list with suitability rationale for each.

**If fail:** If most candidates score below 3, the codebase may need refactoring before MCP exposure. Document the gaps and recommend specific improvements (add types, extract pure functions, wrap side effects).

### Step 4: Design Tool Specifications

4.1. For each selected candidate (score >= 3), draft a tool specification:

```yaml
- name: tool_name
  description: >
    One-line description of what the tool does.
  source_function: module.function_name
  source_file: src/path/to/file.ts:42
  parameters:
    param_name:
      type: string | number | boolean | object | array
      description: What this parameter controls
      required: true | false
      default: value_if_optional
  returns:
    type: string | object | array
    description: What the tool returns
  side_effects:
    - description of any side effect
  estimated_latency: fast | medium | slow
  suitability_score: 5
```

4.2. Group tools into logical categories (e.g., "Data Queries", "File Operations", "Analysis", "Configuration").

4.3. Identify dependencies between tools (e.g., "list_datasets" should be called before "query_dataset").

4.4. Determine if any tools need wrappers to:
   - Simplify complex parameter objects into flat inputs
   - Convert raw return values to structured text or JSON
   - Add safety guards (e.g., read-only wrappers for database functions)

**Got:** A complete YAML tool specification with categories, dependencies, and wrapper notes.

**If fail:** If tool specifications are ambiguous, revisit Step 2 to extract more detail from source code. If parameter types cannot be inferred, flag for manual review.

### Step 5: Generate Tool Spec Document

5.1. Write the final specification document with these sections:
   - **Summary**: Codebase overview, language, size, and analysis date
   - **Recommended Tools**: Full specifications from Step 4, grouped by category
   - **Future Candidates**: Score-2 items with refactoring recommendations
   - **Excluded Items**: Score-1 items with exclusion rationale
   - **Dependencies**: Tool dependency graph
   - **Implementation Notes**: Wrapper requirements, authentication needs, transport recommendations

5.2. Save as `mcp-tool-spec.yml` (machine-readable) and optionally `mcp-tool-spec.md` (human-readable summary).

5.3. If an existing MCP server was provided, include a gap analysis section:
   - Tools in the spec but not yet implemented
   - Implemented tools not in the spec (possibly stale)
   - Tools with specification drift (implementation diverges from spec)

**Got:** A complete tool specification document ready for consumption by `scaffold-mcp-server`.

**If fail:** If the document exceeds reasonable size (>200 tools), split into modules with cross-references. If the codebase has no suitable candidates, produce a "readiness assessment" document with refactoring recommendations instead.

## Validation

- [ ] All source files in the target codebase were scanned
- [ ] Candidate functions have extracted names, signatures, and return types
- [ ] Each candidate has a suitability score with written rationale
- [ ] Tool specifications include complete parameter schemas with types
- [ ] Side effects are explicitly documented for every tool
- [ ] The output document is valid YAML (parseable by any YAML library)
- [ ] Tool names follow MCP conventions (snake_case, descriptive, unique)
- [ ] Categories and dependencies form a coherent tool surface
- [ ] Gap analysis is included when an existing MCP server was provided
- [ ] Future candidates section lists refactoring steps needed for score-2 items

## Pitfalls

- **Exposing too many tools**: AI assistants work best with 10-30 focused tools. Prioritize breadth of capability over depth. Resist exposing every public function.
- **Ignoring side effects**: A function that "just reads" but also writes to a log or cache still has side effects. Audit carefully with `Grep` for file writes, network calls, and database mutations.
- **Assuming type safety**: Dynamic languages (Python, R, JavaScript) may have functions with no type annotations. Infer types from usage patterns and tests, but flag uncertainty in the spec.
- **Missing authentication context**: Functions that work in an authenticated web request may fail when called via MCP without session context. Check for implicit auth dependencies such as session cookies, JWT tokens, or environment-injected credentials.
- **Over-engineering wrappers**: If a function needs a 50-line wrapper to be MCP-compatible, it may not be a good candidate. Prefer functions that map naturally to tool interfaces.
- **Neglecting error paths**: MCP tools must return structured errors. Functions that throw untyped exceptions need error-handling wrappers.
- **Conflating internal and external APIs**: Internal helper functions called by other internal code are poor MCP candidates. Focus on functions designed for external consumption or clear boundary APIs.
- **Skipping the gap analysis**: If an existing MCP server is provided, always compare the spec against current implementation. Without gap analysis, you risk duplicating work or missing stale tools.

## Related Skills

- `scaffold-mcp-server` - use the output spec to generate a working MCP server
- `build-custom-mcp-server` - manual server implementation reference
- `configure-mcp-server` - connect the resulting server to Claude Code/Desktop
- `troubleshoot-mcp-connection` - debug connectivity after deploying the server
- `review-software-architecture` - architecture review for tool surface design
- `security-audit-codebase` - security audit before exposing functions externally

Related Skills

security-audit-codebase

9
from pjt222/agent-almanac

Perform a security audit of a codebase checking for exposed secrets, vulnerable dependencies, injection vulnerabilities, insecure configurations, and OWASP Top 10 issues. Use before publishing or deploying a project, for periodic security reviews, after adding authentication or API integration, before open-sourcing a private repository, or when preparing for a security compliance audit.

review-codebase

9
from pjt222/agent-almanac

Multi-phase deep codebase review with severity ratings and structured output. Covers architecture, security, code quality, and UX/accessibility in a single coordinated pass. Produces a prioritized findings table suitable for direct conversion to GitHub issues via the create-github-issues skill.

clean-codebase

9
from pjt222/agent-almanac

Remove dead code, unused imports, fix lint warnings, and normalize formatting across a codebase without changing business logic or architecture. Use when lint warnings have piled up during rapid development, unused imports and variables clutter files, dead code paths were never removed, formatting is inconsistent, or static analysis tools report fixable hygiene issues.

analyze-tensegrity-system

9
from pjt222/agent-almanac

Analyze a tensegrity system by identifying compression struts and tension cables, classifying type (class 1/2, biological/architectural), computing prestress equilibrium, verifying stability via Maxwell's rigidity criterion, and mapping biological tensegrity (microtubules, actin, intermediate filaments). Use when evaluating tensegrity in architecture, robotics, cell biology, or any system with isolated compression in continuous tension.

analyze-prime-numbers

9
from pjt222/agent-almanac

Analyze prime numbers using primality tests, factorization algorithms, prime distribution analysis, and sieve methods. Covers trial division, Miller-Rabin, Sieve of Eratosthenes, and the Prime Number Theorem. Use when determining whether an integer is prime or composite, finding prime factorizations, counting or listing primes up to a bound, or investigating prime properties within a number-theoretic proof or computation.

analyze-magnetic-levitation

9
from pjt222/agent-almanac

Analyze magnetic levitation systems by applying Earnshaw's theorem to determine whether passive static levitation is possible, then identifying the appropriate circumvention mechanism (diamagnetic, superconducting, active feedback, or spin-stabilized). Use when evaluating maglev transport, magnetic bearings, superconducting levitation, diamagnetic suspension, or Levitron-type devices. Covers force balance calculations, stability analysis in all spatial and tilting modes, and Meissner effect versus flux pinning distinctions.

analyze-magnetic-field

9
from pjt222/agent-almanac

Calculate and visualize magnetic fields produced by current distributions using the Biot-Savart law, Ampere's law, and magnetic dipole approximations. Use when computing B-fields from arbitrary current geometries, exploiting symmetry with Ampere's law, analyzing superposition of multiple sources, or characterizing magnetic materials through permeability, B-H curves, and hysteresis behavior.

analyze-kernel-bottleneck

9
from pjt222/agent-almanac

Systematically identify whether a GPU kernel is compute-bound, memory-bound, or latency-bound using roofline analysis, occupancy calculations, compute/load ratio per tile, and SASS instruction inspection. Produces a decision matrix for optimization strategy selection (cp.async, warp interleaving, tiling, double-buffering, or CuAssembler hand-tuning).

analyze-generative-diffusion-model

9
from pjt222/agent-almanac

Analyze pre-trained generative diffusion models (Stable Diffusion, DALL-E, Flux) by computing quality metrics (FID, IS, CLIP score, precision/recall), inspecting noise schedules, extracting and visualizing attention maps, and probing latent spaces. Use when evaluating a pre-trained generative diffusion model's output quality, comparing noise schedule variants, analyzing cross-attention patterns for text-conditioned generation, interpolating between latent codes, or detecting out-of-distribution inputs.

analyze-diffusion-dynamics

9
from pjt222/agent-almanac

Analyze the dynamics of diffusion processes using stochastic differential equations, Fokker-Planck equations, first-passage time distributions, and parameter sensitivity analysis. Use when deriving probability density evolution for a continuous-time diffusion process, computing mean first-passage times for bounded diffusion, analyzing how drift and diffusion parameters affect process behavior, or validating closed-form solutions against stochastic simulation.

analyze-codebase-workflow

9
from pjt222/agent-almanac

Analyze an arbitrary codebase to auto-detect workflows, data pipelines, and file dependencies using putior's put_auto() engine. Produces an annotation plan that maps detected I/O patterns to source files across 30+ supported languages with 902 auto-detection patterns. Use when onboarding onto an unfamiliar codebase to understand data flow, starting putior integration in a project without existing annotations, auditing a project's data pipeline before documentation, or preparing an annotation plan before running annotate-source-files.

skill-name-here

9
from pjt222/agent-almanac

One to three sentences describing what this skill accomplishes, followed by key activation triggers. This field is the primary mechanism agents use to decide whether to activate the skill — it is read during discovery before the full body is loaded. Start with a verb. Include the most important "when to use" conditions inline. Max 1024 characters.