v0.2 · cexagent · MIT open source

A clean contract from
a serial rugger is still a rug.

Other token-safety MCPs return the contract verdict and stop. We also check the deployer's history, verify the LP-lock is real, and trace whether liquidity was bridged in 24h before launch. Six tools, one verdict, free.

Install in 30 seconds →

stdio MCP · Node 20+ · zero user data

Why it exists

The judgment layer no one else builds.

Beyond the contract

GoPlus tells you the contract is fine. We also check whether the wallet shipping it has prior honeypots, sanctions, mixer use, or fake-token issuance — pulled from SlowMist + BlockSec via GoPlus address-security.

Lock reality, not lock theater

'LP locked' means nothing if the lock is in a custom contract with a backdoor. We resolve each top LP holder against a registry of legit lockers (UNCX, Team Finance, PinkLock, Mudra) — anything else gets flagged.

Rented-LP detection

Common rug pattern: bridge funds in, deploy fresh token, dump, bridge out. We trace LP-seeder funding sources against a registry of known bridges (Stargate, Across, Wormhole, Synapse) and flag bridged-in liquidity on young pools.

Tools

Six tools, four of them judgment-bearing.

xray()

Main verdict tool. Merges contract security + LP + market + deployer reputation into a green/yellow/red call with reasons.

deployer_history()

Resolves the deploying wallet, looks up its rep: prior malicious contracts, same-creator honeypots, sanctions, mixer, phishing, fake-token issuance.

lp_lock_reality()

Classifies each top LP holder as verified locker / DEX pool / EOA / burn / unknown contract. Catches custom-locker backdoors. EVM only.

bridge_lp_check()

Detects rented liquidity. Traces LP-seeder funding sources, flags bridged-in capital before pool creation. EVM only.

token_security()

Raw GoPlus safety fields passthrough. For when you want unopinionated data.

token_market()

Raw DexScreener pairs passthrough. Liquidity, 24h volume, price change, tx counts.

Supported chains

GoPlus covers everything that matters.

Ethereumlive

BSClive

Polygonlive

Arbitrumlive

Baselive

Avalanchelive

Optimismlive

Solanalive

Install

Paste one line. Restart. Done.

Runs locally as a subprocess of your agent. Calls go straight to GoPlus + DexScreener public APIs — nothing through our servers.

~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "token-xray": {
      "command": "npx",
      "args": ["-y", "token-xray"],
      "env": {
        "ETHERSCAN_API_KEY": "your_key_here"
      }
    }
  }
}

Privacy

Nothing to collect. Nothing to leak.

privacy_policy.txt

No accounts. No login. No API keys. We run no backend. Queries go straight from your agent to public endpoints (GoPlus free tier + DexScreener). Source on GitHub, MIT.