The capability layer for AI assistants.

Patch is an MCP server that lets your AI assistant build and remember its own tools — and pulls from a community registry shaped by every Patch user.

install in 30 seconds read the threat model

Quickstart

{
  "mcpServers": {
    "patch-cat": {
      "command": "npx",
      "args": ["-y", "@patch-cat/mcp"],
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-...",
        "E2B_API_KEY": "e2b_..."
      }
    }
  }
}

Drop into Claude Desktop's claude_desktop_config.json (or the equivalent for Cursor / Claude Code / Windsurf). Restart the host. Done. Full instructions in the quickstart.

What it does

  • Generates Python tools on demand from natural-language descriptions.
  • Sandbox-tests them in e2b before persisting.
  • Pulls from the public registry when a similar tool already exists.
  • Survives across restarts. Tools persist locally.

What it defends against

  • Hidden Unicode injection in untrusted text.
  • Prompt injection via tool descriptions and outputs.
  • Capability escape — tools declared network: false can't reach the network.
  • OAuth scope creep via Arcade-mediated tokens.

And we're honest about what's still possible.