Skip to main content
semantic tool discovery · mcp builder · index engine

ToolStorePy

// describe tools in plain english. get a running mcp server.

ToolStorePy takes a queries.json of natural-language tool requests, semantically retrieves matched repositories from a curated index, runs AST and optional LLM security scanning, merges secret templates, and synthesizes one runnable mcp_unified_server.py — on any host and port, with full build-time auditability.

pip install toolstorepy
queries.json → build
# 1. describe what you need
$ cat queries.json
[
  { "tool_description":
      "evaluate arithmetic expressions" },
  { "tool_description":
      "convert units of measurement" }
]

# 2. build (LLM scan, custom port)
$ toolstorepy build \
    --queries queries.json \
    --index core-tools \
    --llm-scan \
    --port 9090

[✓] retrieved: calculator (0.94)
[✓] retrieved: unit-converter (0.91)
[✓] AST scan complete
[✓] LLM scan: INCLUDE (confidence=HIGH)
[✓] build complete → port 9090

# 3. run
$ python mcp_unified_server.py

Architecture

Build pipeline

01
queries.json
Natural-language tool descriptions
02
Semantic retrieval
SentenceTransformer + ChromaDB top-k
03
Cross-encoder rerank
Precision pass over candidate set
04
Clone + AST scan
Static security analysis, env merge
05
LLM scan (optional)
--llm-scan: autonomous include/skip, any provider
06
MCP synthesis
Single auditable server file, custom host:port

Capabilities

Core surface

Build

One server from many repos

Resolves an index, runs semantic retrieval + reranking, clones winning repos, and synthesizes a single mcp_unified_server.py. Configure host and port at build time.

Index

Bring your own tool index

Author catalogs from a JSON manifest, embed them locally into ChromaDB, and distribute via URL. Custom discovery, no hardcoding.

Security

AST + LLM supply-chain review

Static AST scanning flags shell exec, deserialization, and env leaks. Opt-in LLM scan reviews full source autonomously — no human prompt needed.

Security Scanner

Trust boundaries

Every cloned repository passes through a static AST scanner before contributing to the final MCP server. Pass --llm-scan to add a full-source LLM review that makes autonomous include/skip decisions — no human prompt, any model provider via LangChain.

Read the security model
HIGHShell exec, dynamic eval, unsafe deserialization — requires approval or LLM skip
MEDIUMCapability imports, env access, dynamic reflection
LOWCrypto primitives, deprecated modules, potential secret logging

Stop wiring tools by hand.

ToolStorePy is open source. Describe what you need, retrieve the best match, audit the supply chain, ship the server.

toolstorepy build --queries queries.json --index core-tools --llm-scan --port 9090