A meta-server that lets you dynamically load any of 130,000+ MCP servers at runtime without restart or permanent context cost. Instead of keeping every tool loaded, you call shapeshift() to mount just what you need, use it, then release it back to a flat 1,321 token floor. Pulls from seven registries including Glama, Smithery, and the official MCP registry. The win is situational: if you'd otherwise run two or more always-on servers, Kitsune keeps context lean and tool selection focused. If you only ever need one small server, always-on is cheaper. Best for workflows that touch multiple APIs intermittently or need access to long-tail tooling without paying the schema tax every turn.
One config entry. Discover, connect to, and run any of 130,000+ MCP servers at runtime — no restart, no per-server setup.
Kitsune is a runtime MCP proxy. It discovers, connects to, and runs any of 130,000+ MCP servers live, mid-session — no config edit, no client restart (134,945 indexed on Glama alone as of May 2026). shapeshift(server_id) connects to a target server and makes its tools callable in the current turn; shapeshift() with no args disconnects and drops them again.
The core advantage is the runtime, not the token count. Adding a normal MCP server means editing your client config and restarting the session. Kitsune removes both steps: the model can reach — and execute — a server it has never seen, without you touching config or restarting. That is the durable win: access and execution on demand.
Two use cases where nothing else fits:
shapeshift() back into it, and call it again in the same session — an edit → reload → test loop (an MCP REPL) instead of restarting your client on every change.shapeshift() into it — discover, connect, run — then drop it. No config edit, no restart, no leaving the session to go install anything.This is where the name earns itself: you shift into an unfamiliar server's shape, use its tools, and shift back.
What about native deferred loading? Since Claude Code v2.1.7 (Jan 2026), clients defer the tool schemas of configured servers until the model searches for them (Tool Search), so the old "keep tools out of context" benefit is now built into the client for servers you've already set up. Kitsune's edge is the servers you haven't set up — the long tail, one-offs, and anything you'd otherwise add-and-restart for. Standard servers you always keep on (Supabase, Google Drive, GitHub) are likely already configured and deferred natively; Kitsune isn't trying to replace those. It covers everything else, on demand.
Kitsune is not free at rest. It is itself an always-on MCP server: its six built-in tools cost ~1,358 tokens in every turn. Against a client with native deferral, that floor is additive — so don't install Kitsune to save tokens. Install it for reach: one config entry that puts the entire MCP ecosystem one call away, with no restart. The token math below still applies when you compare against servers kept fully mounted (always-on, or clients without native Tool Search).
Native Tool Search already handles the token problem for servers in your config. These four problems it does not touch — they are what Kitsune is for:
| Problem | Without Kitsune | With Kitsune |
|---|---|---|
| Adding a server is a restart. A new MCP server means editing client JSON and restarting the session — you lose your context to gain a tool. | Edit config → restart → re-establish context | shapeshift("server", confirm=True) → tools live, same session |
| Iterating on your own server is a restart per change. Every edit to a tool's schema or behaviour needs a client reboot to take effect. | Edit code → restart client → re-test → repeat | Edit code → release() → connect() → call() — an MCP REPL |
| The long tail can't be pre-installed. 130,000+ servers across Glama, Smithery, npm, PyPI. You will never keep them configured. | Not available — or install-and-restart for a one-off | search() → shapeshift() → call() on demand, then drop it |
| Unknown server code is a supply-chain risk. Running a community server means executing arbitrary code with your credentials. | You run it raw, or you don't run it | Trust-tier consent gate + process/Docker isolation + SSRF & injection guards — with honest limits |
The through-line: reach and execution, at runtime, without giving up your session — and a safety layer because "run any of 130,000 servers on demand" is only usable if running an unknown one is contained.
Shelling out to aws, gcloud, kubectl, or gh from a Bash tool also costs ~0 tokens at rest. So why MCP at all?
Because long-tail CLI commands fail. LLMs have great recall on the top ~20 commands of a CLI they've seen in training (git status, gh pr list, aws s3 cp) and steeply degraded recall on everything else. For an API surface the size of aws (~9,000 subcommands), first-call success drops to 30–50% on long-tail operations — wrong flag names, singular-vs-plural verbs, case-sensitive enums, and silently-deprecated options. Each miss costs a retry turn, and the worst failures aren't errors but plausible-looking wrong calls that succeed.
MCP gives you structured tool schemas the model can read and validate against:
| Approach | Long-tail accuracy | Failure mode | Token cost at rest |
|---|---|---|---|
| CLI fallback | ~30–50% on rare subcommands | Hallucinated flags, silent wrong calls | ~0 |
| Always-on MCP | ~95% across the whole surface | Schema bloat in every turn | ~10–15K per server |
| Kitsune (mount on demand) | ~95% — only when you need it | None — schemas drop after shiftback() | ~1,358 tokens |
That's the structural argument for the hub model: CLI-cheap at rest, MCP-accurate when it matters. For one-off ops on a CLI the model knows cold, gh is fine. For unfamiliar APIs, internal tooling, or any operation where a wrong call has real cost (production AWS changes, billing operations, security flows), Kitsune gives you schema-validated execution without the always-on tax. See examples/scenarios/ for seven worked use cases.
Honest note — this was the original idea, and Tool Search has largely overtaken it. Cutting always-on token overhead was Kitsune's founding motivation. But at roughly the same time it was being built, the client layer solved the same problem natively: since Claude Code v2.1.7 (Jan 2026), configured servers' tool schemas are deferred until the model searches for them (Tool Search). Against such a client the numbers and graph below no longer describe a unique win — Kitsune's ~1,358-token floor is even additive rather than a saving. Treat this section as historical / edge-case: it still holds for servers kept fully mounted always-on or for clients without native deferral, but it is not the reason to run Kitsune today. That reason is runtime reach and live development without a restart (above).
Kitsune carries a fixed ~1,358-token floor (measured: 6 lean-profile tools — run python examples/benchmark.py to reproduce). Every comparison below already includes that floor; it is never subtracted out or hidden. Savings come from the floor staying flat while always-on servers stack linearly:
Saving formula: 1 − (Kitsune base 1,358 + surgical mount) / always-on total
| Always-on servers | Always-on/turn | Kitsune per active call | Saved |
|---|---|---|---|
| GitHub (26 tools) | 4,229 | ~1,658 (1,358 + ~300) | 61% |
| GitHub + filesystem + git | 8,678 | ~1,668–2,048 | 76–81% |
| Notion + GitHub + filesystem + git + memory | 25,000 | ~1,668–3,308 | 87–93% |
Break-even: if you only ever run one small server (e.g. mcp-server-time at ~261 tokens), always-on is cheaper than Kitsune — you'd pay 261 tokens instead of Kitsune's 1,358 floor. Kitsune wins when the always-on alternative exceeds ~1,358 tokens, which happens as soon as you'd keep one medium server (GitHub-sized) or two-plus small ones loaded. The bigger and more numerous your servers, the bigger the win.
This graph compares Kitsune against fully-mounted always-on servers. A client with native Tool Search already flattens most of this curve on its own, so read the chart as "what deferral buys you" — not as something unique to Kitsune.
Fewer tools in context also means more reliable answers. Research consistently shows LLM tool-selection degrades as the visible tool count grows — though on a modern client, native Tool Search delivers much of that focus too.
pip install kitsune-mcp # recommended
# or
uvx kitsune-mcp # isolated env via uv, no venv setup
# or
npx kitsune-mcp # npm (delegates to uvx internally)
Requirements: Python 3.12+ · node/npx for npm-based servers · uvx from uv for PyPI-based servers
Add to your MCP client config — once, globally:
{
"mcpServers": {
"kitsune": { "command": "kitsune-mcp" }
}
}
Compatible with Claude Desktop, Claude Code, Cursor, Cline, OpenClaw, Continue.dev, Zed, and any MCP-compatible client.
| Client | Config file |
|---|---|
| Claude Desktop (macOS) | ~/Library/Application Support/Claude/claude_desktop_config.json |
| Claude Desktop (Windows) | %APPDATA%\Claude\claude_desktop_config.json |
| Claude Code | ~/.claude/mcp.json |
| Cursor / Windsurf | ~/.cursor/mcp.json |
| Cline / Continue.dev | VS Code settings / ~/.continue/config.json |
# Find a server
search("web scraping")
# Mount specific tools, use them, release
shapeshift("notion-hosted", tools=["notion-search"])
call("notion-search", arguments={"query": "roadmap"})
shapeshift() # disconnect; context back to baseline
# One-shot via auto() — use server_hint for reliable routing
auto("current time in Tokyo", server_hint="mcp-server-time")
# Store a credential, then mount
auth("BRAVE_API_KEY", "sk-...")
shapeshift("brave", tools=["brave_web_search"])
call("brave_web_search", arguments={"query": "MCP protocol 2025"})
shapeshift()
Run a long-tail server from Glama or Smithery — none of it pre-installed:
search("pdf", registry="glama") # search a specific registry
# Community sources (glama/npm/pypi) need one explicit confirm:
shapeshift("mcp-pdf-tools", confirm=True) # spawns via npx/uvx, isolated subprocess
call("extract_text", arguments={"path": "report.pdf"})
shapeshift() # process released
# Smithery-hosted (HTTP) — needs a free SMITHERY_API_KEY
search("exa", registry="smithery")
shapeshift("exa") # hosted, no local install
call("web_search_exa", arguments={"query": "MCP registry growth 2026"})
shapeshift()
See Developing an MCP server live for the edit → reload → test loop, and the full real-time demo script.
Building your own MCP server normally means a restart on every change: edit a tool, reboot the client so it re-reads the schema, re-establish your session, test, repeat. Kitsune turns that into an edit → reload → test loop in one session — an MCP REPL for your work-in-progress server.
The loop uses connect() (start a local command as a pooled process) and release() (kill it so the next connect() picks up your new code). These are dev tools, not in the default lean profile — enable them:
{
"mcpServers": {
"kitsune": {
"command": "kitsune-mcp",
"env": { "KITSUNE_TOOLS": "all" }
}
}
}
Then, without ever restarting your client:
# 1. Start your work-in-progress server
connect("uvx --from . my-mcp-server", name="dev")
# → Connected: dev (PID 40213) | Tools (3): search, fetch, summarize
# 2. Call a tool, see it work (or fail)
call("summarize", arguments={"url": "https://example.com"})
# 3. Edit the tool's code in your editor …
# 4. Reload: drop the old process, start the new code
release("dev")
connect("uvx --from . my-mcp-server", name="dev") # now running your edit
# 5. Re-test immediately
call("summarize", arguments={"url": "https://example.com"})
The footgun this removes:
connect()pools processes, so calling it again after an edit withoutrelease()first hands you the old process running the old code. Kitsune detects this and tells you: "Changed the code? release('dev') first — this process predates your edit." Alwaysrelease()before reconnecting.
Local connect() targets are treated as untrusted (confirm=True / KITSUNE_TRUST applies) and run as isolated subprocesses — but note that isolation is not a security sandbox; see Safety model. Full walkthrough: docs/demo-realtime.md.
Kitsune is a dynamic MCP proxy. shapeshift(server_id) connects to a target server via the appropriate transport (stdio subprocess, HTTP, WebSocket), fetches its tools/list, and registers each tool as a native FastMCP tool with the exact schema from the server. The AI client receives a notifications/tools/list_changed event and sees the new tools as first-class — no wrapper, no indirection.
shapeshift() with no args reverses all of it: deregisters the proxy closures, closes the connection, and notifies the client. Context returns to the ~1,358-token baseline.
| Document RAG | Kitsune |
|---|---|
| Index all documents | Registry: 130,000+ servers across 7 sources |
| Query → retrieve relevant chunks | search("notion") → ranked candidates with token estimates |
| Inject only relevant content | shapeshift(server, tools=[...]) → mount only what is needed |
| Model reasons over those chunks | Agent calls those tools natively |
| Evict when done | shapeshift() → context returns to baseline |
| Server source | Transport |
|---|---|
| npm package | npx <package> — spawned locally |
| PyPI package | uvx <package> — spawned locally |
| GitHub repo | npx github:user/repo or uvx --from git+https://... |
| Smithery hosted | HTTP + SSE (requires SMITHERY_API_KEY) |
| WebSocket | ws:// / wss:// |
| Docker | docker run --rm -i --memory 512m <image> |
| Tool | Signature | Description |
|---|---|---|
status() | — | Provider auth state, GATEWAY bloat detection, session performance stats |
search() | query, registry?, compare? | Search for servers across 7 registries; compare=True shows side-by-side token costs |
shapeshift() | server_id?, tools=[], server_args=[] | Shift into a server: connect and make its tools callable (with ID), or shift back / disconnect (no args). A runtime connect + execute — not a transform of Kitsune itself. tools=[...] for surgical load |
call() | tool_name, arguments | Invoke a tool; server_id inferred when shapeshifted |
auth() | server_or_var, value? | Check or set env vars; trigger OAuth 2.1 browser flow for hosted servers |
auto() | task, server_hint=, arguments= | One-shot: search → mount → call → return result |
Context overhead at rest: ~1,358 tokens for all 6 lean-profile tools (measured via examples/benchmark.py).
auto()note:auto(task, server_hint="server-id")gives reliable results. Withoutserver_hint, routing is best-effort via semantic search and can misfire on ambiguous queries — usesearch()first when unsure.
Kitsune searches 7 registries in parallel. No single registry is required.
| Registry | Auth required | registry= value |
|---|---|---|
| modelcontextprotocol/servers | None | official |
| registry.modelcontextprotocol.io | None | mcpregistry |
| Glama | None | glama |
| npm | None | npm |
| PyPI | None | pypi |
| GitHub repos | None | github:owner/repo |
| Smithery | Free API key | smithery |
search() fans out across all no-auth registries by default. Add a SMITHERY_API_KEY to include Smithery's hosted catalog (HTTP servers, no local install required).
status() scans your active MCP client configs and reports what other servers are running on every turn:
GATEWAY
⚠ 1 other server(s) active in claude-desktop (~8 extra tools in context)
Run setup() to harvest their credentials and reduce bloat
⚠ 1 other server(s) active in claude-code (~8 extra tools in context)
To consolidate:
setup() # preview — shows what can be harvested
setup(action="harvest") # extract API keys → ~/.kitsune/.env (non-destructive)
setup(action="absorb") # register those servers for shapeshift()
setup(project=True) # write .claude/mcp.json with only Kitsune (this project)
Kitsune never modifies existing configs without explicit confirmation.
The same caveat as above applies to this whole section: these savings are real only versus fully-mounted always-on servers. On a client with native Tool Search (Claude Code 2.1.7+), configured servers are already deferred, so most of these numbers no longer represent a Kitsune-specific advantage. Kept here for transparency and for clients/servers without native deferral.
Full-mount figures measured live via shapeshift() probes. Surgical estimates (~) are proportional approximations based on tool count, not individually measured. Every Kitsune figure includes the fixed ~1,358-token floor — it is never omitted. To measure Kitsune's own profile size: python examples/benchmark.py.
Saved = 1 − (1,358 floor + surgical) / always-on. A negative result means always-on is cheaper for that single server.
| Server | Tools | Always-on | Surgical example | 1,358 + surgical | Saved |
|---|---|---|---|---|---|
mcp-server-time | 2 | 261 | (all tools) | ~1,619 | — ¹ |
mcp-server-git | 12 | 1,242 | status / diff / log | ~1,668 | — ¹ |
@modelcontextprotocol/server-memory | 9 | 2,615 | read_graph / search_nodes | ~1,938 | 26% |
@modelcontextprotocol/server-filesystem | 14 | 3,207 | read / write / edit | ~2,048 | 36% |
brave | 8 | 3,612 | brave_web_search | ~1,808 | 50% |
@modelcontextprotocol/server-github | 26 | 4,229 | search_repositories | ~1,658 | 61% |
notion-hosted | 14 | 13,707 | search / fetch | ~3,308 | 76% |
¹ For a single server smaller than Kitsune's ~1,358-token floor (time, git), running it always-on is cheaper than Kitsune. Kitsune only pays off once the always-on alternative exceeds the floor — i.e. one medium server, or two-plus small ones sharing the single baseline.
Kitsune's resting cost (~1,358 tokens) is constant regardless of how many servers are registered. Always-on cost grows linearly with each server added — that linear stack is where Kitsune wins.
All figures include the 1,358 floor + surgical mount for whichever server is active. The range reflects the cheapest (git ~310) to most expensive (Notion ~1,950) surgical call.
| Servers always-on | Always-on/turn | Kitsune per active call | Saved |
|---|---|---|---|
| GitHub only | 4,229 | ~1,658 | 61% |
| GitHub + filesystem + git | 8,678 | ~1,668–2,048 | 76–81% |
| Notion + GitHub + filesystem + git + memory | 25,000 | ~1,668–3,308 | 87–93% |
LLM tool-selection degrades as the visible tool count grows — a finding consistent across multiple tool-use benchmarks (Gorilla, ToolBench). The failure mode is typically adjacent-name confusion: a model that sees read_file, read_text_file, and read_media_file simultaneously is more likely to call the wrong one than a model that sees only the one it needs.
Kitsune holds 6 tools at rest; 7–9 during active use. A Kitsune-specific benchmark measuring selection accuracy across tool-count conditions does not yet exist — contributions welcome.
Kitsune maintains a persistent process pool — re-attaching to a running server within a session takes 0 ms.
| Transport | Cold start | Warm (pooled) |
|---|---|---|
| HTTP / Smithery hosted | 0–1.4 s | 0.0 s |
Local stdio via npx | 1.7–6.3 s | 0.0 s |
Local stdio via uvx | 1.0–5.2 s | 0.0 s |
.env filesKitsune re-reads credentials on every shapeshift() and call(). Add or update a key mid-session — no restart needed.
Search order: CWD/.env → ~/.env → ~/.kitsune/.env (last wins).
# Write a key and activate immediately
auth("BRAVE_API_KEY", "sk-...") # writes to ~/.kitsune/.env
# Or manage .env directly
echo "BRAVE_API_KEY=sk-..." >> ~/.kitsune/.env
Expose only specific tools via KITSUNE_TOOLS:
{
"mcpServers": {
"kitsune": {
"command": "kitsune-mcp",
"env": { "KITSUNE_TOOLS": "shapeshift,call,auth" }
}
}
}
All persistent state — credentials (.env), absorbed servers, OAuth tokens,
session state, skills — lives under ~/.kitsune/ by default. Set
KITSUNE_HOME to relocate the whole directory, e.g. for benchmarks, CI, or
multi-tenant isolation:
KITSUNE_HOME=/tmp/kitsune-iso kitsune-mcp
Everything Kitsune writes then stays under /tmp/kitsune-iso/ — nothing
touches ~/.kitsune/.
{ "env": { "SMITHERY_API_KEY": "your-key" } }
Get a free key at smithery.ai/account/api-keys. Without it, Kitsune is fully functional via npm, PyPI, official registry, and GitHub.
shapeshift("brave", tools=["brave_web_search"]) # ~450 tokens
shapeshift("mcp-server-fetch") # ~289 tokens
shapeshift("@modelcontextprotocol/server-memory",
tools=["read_graph", "search_nodes"]) # ~580 tokens
# Mounts: ~1,300 tokens; total with ~1,358 floor: ~2,650 vs 6,516 always-on → 59% reduction
shapeshift("@modelcontextprotocol/server-filesystem",
tools=["read_file", "write_file", "edit_file"],
server_args=["/path/to/project"]) # ~690 tokens
shapeshift("mcp-server-git",
tools=["git_status", "git_diff", "git_log"]) # ~310 tokens
# Mounts: ~1,000 tokens; total with ~1,358 floor: ~2,350 vs 4,449 always-on → 47% reduction
shapeshift("notion-hosted",
tools=["notion-search", "notion-append-block-children"]) # ~1,950 tokens
shapeshift("@modelcontextprotocol/server-memory",
tools=["add_memory", "search_nodes"]) # ~580 tokens
# Mounts: ~2,500 tokens; total with ~1,358 floor: ~3,850 vs 16,322 always-on → 76% reduction
Kitsune executes third-party code — npm, PyPI, GitHub, and local packages — with your permissions. That makes it a supply-chain execution surface, not just a router. Be clear-eyed about what it contains and what it does not.
1. Unverified code running without consent.
| Tier | Sources | On mount |
|---|---|---|
| High | official (modelcontextprotocol/servers) | runs directly |
| Medium | mcpregistry, glama, smithery | runs directly |
| Community | npm, pypi, github, local connect() | requires confirm=True |
Community and local sources refuse to run until you pass confirm=True on shapeshift()/connect(). KITSUNE_TRUST=community waives the gate for sources you already trust; status() warns when that override is active.
Caveat —
confirm=Trueis not a human-approval boundary. It is a tool argument the model can set on its own. It's a consent signal and defence-in-depth; the real user-facing approval must come from your host client's tool-approval UI (per the MCP spec's guidance that apps provide real confirmation). Don't rely onconfirmalone to keep an autonomous agent from executing a server.
2. Shell injection at spawn time. Install commands are validated against shell-metacharacter (& ; | $ \ \n) and path-traversal (../) patterns and are launched via create_subprocess_exec— no shell is involved. A maliciousserver_id` can't inject a shell command. This vets the launch command, not what the package does once it runs.
3. SSRF. fetch() and every registry call are HTTPS-only; private, loopback, and non-global hosts are blocked, and every redirect hop is re-validated (opt out only with KITSUNE_ALLOW_LOCAL_FETCH=1).
4. Credential exposure. ~/.kitsune/.env and ~/.kitsune/oauth/ are written at mode 0600; OAuth 2.1 with PKCE S256 and Dynamic Client Registration (RFC 7591); missing-credential warnings before any call; auth("server-id", "logout") clears cached tokens.
5. Untrusted local servers — opt-in Docker sandbox. shapeshift("pkg", sandbox=True) runs an npm/PyPI server inside the hardened Docker profile instead of as a host subprocess: no host filesystem, --cap-drop ALL, read-only rootfs, RAM/PID caps. Only credential env vars relevant to that server are forwarded — by name (docker -e KEY), never by value, so secrets stay out of the argv, the process list, and the pool key. Set KITSUNE_SANDBOX=community to sandbox every community-source mount automatically, or KITSUNE_SANDBOX=all for every local mount. Requires Docker; the first sandboxed mount pulls the base image (node:22-slim / uv:python3.13-bookworm-slim). Filesystem-style servers need host paths and are the one category that doesn't fit a sandbox.
sandbox=True / KITSUNE_SANDBOX, it runs as your user and inherits your permissions: it can read and write your files, reach the network, spawn processes, and read inherited environment variables. Process isolation is not a security boundary.--cap-drop ALL --security-opt no-new-privileges --read-only --tmpfs /tmp --pids-limit 512 --memory 512m by default (opt out per call: writable, cap_add, network, pids_limit, memory). That blunts privilege escalation, fork bombs, and filesystem tampering — but it is defence-in-depth, not a guarantee against a container-escape kernel exploit. It also does not yet default to a non-root user or --network none (most MCP servers need egress).~/.kitsune/pins.json and reuses it on every later mount — so a package that publishes a malicious release after you trusted it can't silently execute; you get a ⚠️ pinned to 1.2.3, registry now offers 1.3.0 warning instead. KITSUNE_REPIN=1 adopts the newer version and updates the pin. Limits: it pins a version, not a content digest; and github:/--from git+… targets and hand-written connect() commands carry no version, so they aren't pinned. For high-assurance use, pin by digest or vendor the package.Bottom line: strong fit for supervised developer and personal workflows. Do not run it unattended with production admin, billing, or security credentials in the default local-execution mode — a local (non-Docker) server still runs with your full user permissions. For higher assurance: enforce approval at the client, restrict credentials and filesystem access, and run untrusted servers sandboxed — shapeshift(id, sandbox=True) or KITSUNE_SANDBOX=community — rather than as raw local npx/uvx processes.
See these guards in action in docs/demo-realtime.md.
The full evaluation suite is available by setting KITSUNE_TOOLS=all:
{ "command": "kitsune-mcp", "env": { "KITSUNE_TOOLS": "all" } }
Additional tools:
| Tool | What it does |
|---|---|
inspect(server_id) | Schema review + live credential check (✓/✗ per key) + measured token cost |
test(server_id) | Quality score 0–100 across connectivity, schema correctness, and tool behaviour |
bench(server_id, tool, args) | Latency benchmark — p50, p95, min, max |
compare(query) | Side-by-side: token cost, tool count, trust tier, credential status |
craft(name, description, params, url) | Register a custom HTTP-backed tool; shapeshift() removes it |
Test your server inside real Claude or Cursor sessions — not in an isolated inspector UI.
In Japanese folklore, the Kitsune (狐) is a fox spirit of extraordinary intelligence and magical power. What makes it remarkable is not what it is, but what it can become. With age and wisdom, a Kitsune grows new tails — each one a new ability mastered, a new form borrowed from the world around it. It can shapeshift into anything: a scholar, a warrior, a force of nature. And when the purpose is fulfilled, it casts off that form as easily as it took it on, returning to its true self — ready to become something else entirely.
One fox. Infinite forms. Every power available. Nothing carried that isn't needed.
shapeshift("brave-search") — the fox takes on a new form. Its tools appear as if they were always there.
shapeshift() — it returns to its true shape. Context drops back to baseline. Ready for the next form.
Each server mounted is a new tail. Each capability borrowed cleanly and released when done. One entry in your config. Every server in the MCP ecosystem, on demand — summoned, used, and let go.
Concretely, shapeshift() connects to a server at runtime and makes its tools callable — you shift into an unfamiliar server's shape, use it, and shift back. It's an on-demand connect-and-execute, not a transformation of Kitsune itself. The value is that it happens live, mid-session, without editing config or restarting the client.
I am not Japanese, and I use this name with the highest respect for the mythology and culture it comes from. The parallel felt too precise to ignore — a spirit that shapeshifts between forms, gains new powers, and releases them at will. That is exactly what this tool does.
make dev # install with dev dependencies
make test # pytest
make lint # ruff
Issues and PRs: github.com/kaiser-data/kitsune-mcp
See CHANGELOG.md for version history.
MIT License · Python 3.12+ · Built on FastMCP
SMITHERY_API_KEYsecretSmithery API key for accessing 3,000+ verified MCP servers. Get yours at smithery.ai/account/api-keys
com.mcparmory/google-sheets
domdomegg/google-sheets-mcp
henilcalagiya/google-sheets-mcp
cct15/war-dashboard-data
moooonad/mcp-google-sheets-full
io.github.br0ski777/csv-to-json