[ { "package": "@21st-extension/toolbar", "version": "0.5.14", "verdict": "PASS", "score": 90, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "326 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "0.5.14", "last_release_at": "2025-07-07T14:17:23.610Z", "days_since_release": 326, "maintainer_count": 1, "repository_url": "git+https://github.com/21st-dev/21st-extension.git", "license": "AGPL-3.0-only", "created_at": "2025-06-26T13:03:16.008Z", "days_since_created": 337, "dep_count": 5, "unpinned_classification": { "caret": 5, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 101, "github_stars": 134 }, "scanned_at": "2026-05-30T05:44:45Z", "rubric_version": "0.1.0", "error": null }, { "package": "@agentbudget/agentbudget", "version": "0.3.1", "verdict": "PASS", "score": 88, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 58 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.3.1", "last_release_at": "2026-04-01T23:29:39.527Z", "days_since_release": 58, "maintainer_count": 1, "repository_url": "git+https://github.com/AgentBudget/agentbudget.git", "license": "Apache-2.0", "created_at": "2026-04-01T23:22:35.070Z", "days_since_created": 58, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 54, "github_stars": 104 }, "scanned_at": "2026-05-30T05:44:47Z", "rubric_version": "0.1.0", "error": null }, { "package": "@agentclientprotocol/claude-agent-acp", "version": "0.39.0", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.39.0", "last_release_at": "2026-05-29T10:13:14.834Z", "days_since_release": 0, "maintainer_count": 3, "repository_url": "git+https://github.com/agentclientprotocol/claude-agent-acp.git", "license": "Apache-2.0", "created_at": "2026-03-26T11:29:04.549Z", "days_since_created": 64, "dep_count": 3, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 1989 }, "scanned_at": "2026-05-30T05:44:48Z", "rubric_version": "0.1.0", "error": null }, { "package": "@ai-sdk/anthropic", "version": "3.0.81", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "3.0.81", "last_release_at": "2026-05-28T17:27:58.932Z", "days_since_release": 1, "maintainer_count": 3, "repository_url": "git+https://github.com/vercel/ai.git", "license": "Apache-2.0", "created_at": "2024-04-12T15:12:45.164Z", "days_since_created": 777, "dep_count": 2, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 24546 }, "scanned_at": "2026-05-30T05:44:50Z", "rubric_version": "0.1.0", "error": null }, { "package": "@aikidosec/mcp", "version": "1.0.8", "verdict": "PASS", "score": 85, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "1.0.8", "last_release_at": "2026-05-29T14:21:24.552Z", "days_since_release": 0, "maintainer_count": 2, "repository_url": null, "license": "AGPL", "created_at": "2025-12-03T16:27:00.549Z", "days_since_created": 177, "dep_count": 6, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 6 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:44:51Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/bedrock-sdk", "version": "0.29.2", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "10 caret + 0 tilde / 11 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.29.2", "last_release_at": "2026-05-19T07:11:50.738Z", "days_since_release": 10, "maintainer_count": 14, "repository_url": "https://github.com/anthropics/anthropic-sdk-typescript.git", "license": "MIT", "created_at": "2023-10-12T21:18:42.476Z", "days_since_created": 960, "dep_count": 11, "unpinned_classification": { "caret": 10, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 1977 }, "scanned_at": "2026-05-30T05:44:53Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/claude-agent-sdk", "version": "0.3.158", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.3.158", "last_release_at": "2026-05-30T01:12:21.311Z", "days_since_release": 0, "maintainer_count": 14, "repository_url": "git+https://github.com/anthropics/claude-agent-sdk-typescript.git", "license": "SEE LICENSE IN README.md", "created_at": "2025-09-27T16:07:20.263Z", "days_since_created": 244, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 1474 }, "scanned_at": "2026-05-30T05:44:54Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/claude-agent-sdk-darwin-arm64", "version": "0.3.158", "verdict": "WARN", "score": 77, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 46 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.3.158", "last_release_at": "2026-05-30T01:08:34.453Z", "days_since_release": 0, "maintainer_count": 14, "repository_url": null, "license": "SEE LICENSE IN LICENSE.md", "created_at": "2026-04-14T00:00:01.431Z", "days_since_created": 46, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:44:55Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/claude-agent-sdk-linux-arm64", "version": "0.3.158", "verdict": "WARN", "score": 77, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 46 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.3.158", "last_release_at": "2026-05-30T01:09:02.261Z", "days_since_release": 0, "maintainer_count": 14, "repository_url": null, "license": "SEE LICENSE IN LICENSE.md", "created_at": "2026-04-13T23:59:52.147Z", "days_since_created": 46, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:44:57Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/claude-agent-sdk-linux-arm64-musl", "version": "0.3.158", "verdict": "WARN", "score": 77, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 46 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.3.158", "last_release_at": "2026-05-30T01:09:16.191Z", "days_since_release": 0, "maintainer_count": 14, "repository_url": null, "license": "SEE LICENSE IN LICENSE.md", "created_at": "2026-04-13T23:59:56.937Z", "days_since_created": 46, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:44:59Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/claude-agent-sdk-linux-x64", "version": "0.3.158", "verdict": "WARN", "score": 77, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 46 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.3.158", "last_release_at": "2026-05-30T01:09:30.827Z", "days_since_release": 0, "maintainer_count": 14, "repository_url": null, "license": "SEE LICENSE IN LICENSE.md", "created_at": "2026-04-13T23:59:49.703Z", "days_since_created": 46, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:01Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/claude-agent-sdk-linux-x64-musl", "version": "0.3.158", "verdict": "WARN", "score": 77, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 46 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.3.158", "last_release_at": "2026-05-30T01:09:45.081Z", "days_since_release": 0, "maintainer_count": 14, "repository_url": null, "license": "SEE LICENSE IN LICENSE.md", "created_at": "2026-04-13T23:59:54.506Z", "days_since_created": 46, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:02Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/claude-agent-sdk-win32-x64", "version": "0.3.158", "verdict": "WARN", "score": 77, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 46 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.3.158", "last_release_at": "2026-05-30T01:10:15.197Z", "days_since_release": 0, "maintainer_count": 14, "repository_url": null, "license": "SEE LICENSE IN LICENSE.md", "created_at": "2026-04-14T00:00:03.470Z", "days_since_created": 46, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:04Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/claude-code-darwin-arm64", "version": "2.1.158", "verdict": "WARN", "score": 77, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 46 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "2.1.158", "last_release_at": "2026-05-30T01:10:28.375Z", "days_since_release": 0, "maintainer_count": 14, "repository_url": null, "license": "SEE LICENSE IN LICENSE.md", "created_at": "2026-04-13T23:59:43.773Z", "days_since_created": 46, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:06Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/claude-code-linux-arm64", "version": "2.1.158", "verdict": "WARN", "score": 77, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 46 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "2.1.158", "last_release_at": "2026-05-30T01:10:59.720Z", "days_since_release": 0, "maintainer_count": 14, "repository_url": null, "license": "SEE LICENSE IN LICENSE.md", "created_at": "2026-04-13T23:59:34.927Z", "days_since_created": 46, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:08Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/claude-code-linux-x64", "version": "2.1.158", "verdict": "WARN", "score": 77, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 46 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "2.1.158", "last_release_at": "2026-05-30T01:11:32.530Z", "days_since_release": 0, "maintainer_count": 14, "repository_url": null, "license": "SEE LICENSE IN LICENSE.md", "created_at": "2026-04-13T23:59:32.601Z", "days_since_created": 46, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:10Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/claude-code-linux-x64-musl", "version": "2.1.158", "verdict": "WARN", "score": 77, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 46 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "2.1.158", "last_release_at": "2026-05-30T01:11:46.603Z", "days_since_release": 0, "maintainer_count": 14, "repository_url": null, "license": "SEE LICENSE IN LICENSE.md", "created_at": "2026-04-13T23:59:37.258Z", "days_since_created": 46, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:11Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/claude-code-win32-x64", "version": "2.1.158", "verdict": "WARN", "score": 77, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 46 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "2.1.158", "last_release_at": "2026-05-30T01:12:18.373Z", "days_since_release": 0, "maintainer_count": 14, "repository_url": null, "license": "SEE LICENSE IN LICENSE.md", "created_at": "2026-04-13T23:59:45.785Z", "days_since_created": 46, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:13Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/mcpb", "version": "2.1.2", "verdict": "PASS", "score": 82, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "9 caret + 0 tilde / 9 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "2.1.2", "last_release_at": "2025-12-04T04:57:44.382Z", "days_since_release": 177, "maintainer_count": 15, "repository_url": null, "license": "MIT", "created_at": "2025-09-11T17:41:56.296Z", "days_since_created": 260, "dep_count": 9, "unpinned_classification": { "caret": 9, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:15Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/sandbox-runtime", "version": "0.0.52", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.0.52", "last_release_at": "2026-05-19T00:21:16.402Z", "days_since_release": 11, "maintainer_count": 14, "repository_url": "git+https://github.com/anthropic-experimental/sandbox-runtime.git", "license": "Apache-2.0", "created_at": "2025-10-20T17:36:42.320Z", "days_since_created": 221, "dep_count": 5, "unpinned_classification": { "caret": 5, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 4174 }, "scanned_at": "2026-05-30T05:45:16Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/sdk", "version": "0.100.1", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.100.1", "last_release_at": "2026-05-29T00:10:32.025Z", "days_since_release": 1, "maintainer_count": 14, "repository_url": "git+https://github.com/anthropics/anthropic-sdk-typescript.git", "license": "MIT", "created_at": "2023-01-31T15:44:00.076Z", "days_since_created": 1214, "dep_count": 2, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 1977 }, "scanned_at": "2026-05-30T05:45:18Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/tokenizer", "version": "0.0.4", "verdict": "WARN", "score": 70, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "1060 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "B4_github_last_push_over_365d", "deduct": 12, "hard_block": false, "evidence": "GitHub last push 816 days ago (2024-03-04T18:30:41Z)", "rationale": "Last GitHub push >365d shows the repo behind the npm package is effectively abandoned even if package.json times look recent." } ], "metadata": { "latest_version": "0.0.4", "last_release_at": "2023-07-05T03:44:40.936Z", "days_since_release": 1060, "maintainer_count": 14, "repository_url": "https://github.com/anthropics/anthropic-tokenizer-typescript.git", "license": "Apache-2.0", "created_at": "2023-06-28T23:07:02.445Z", "days_since_created": 1066, "dep_count": 2, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 816, "github_stars": 106 }, "scanned_at": "2026-05-30T05:45:19Z", "rubric_version": "0.1.0", "error": null }, { "package": "@anthropic-ai/vertex-sdk", "version": "0.16.1", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.16.1", "last_release_at": "2026-05-19T07:11:41.782Z", "days_since_release": 10, "maintainer_count": 14, "repository_url": "https://github.com/anthropics/anthropic-sdk-typescript.git", "license": "MIT", "created_at": "2024-01-23T19:22:05.056Z", "days_since_created": 857, "dep_count": 2, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 1977 }, "scanned_at": "2026-05-30T05:45:20Z", "rubric_version": "0.1.0", "error": null }, { "package": "@apify/actors-mcp-server", "version": "0.10.11", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "16 caret + 0 tilde / 17 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.10.11", "last_release_at": "2026-05-28T11:31:13.765Z", "days_since_release": 1, "maintainer_count": 11, "repository_url": "https://github.com/apify/apify-mcp-server.git", "license": "MIT", "created_at": "2025-01-16T18:22:29.365Z", "days_since_created": 498, "dep_count": 17, "unpinned_classification": { "caret": 16, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 1287 }, "scanned_at": "2026-05-30T05:45:22Z", "rubric_version": "0.1.0", "error": null }, { "package": "@azure-devops/mcp", "version": "2.7.0", "verdict": "BLOCK", "score": 67, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "9 caret + 0 tilde / 10 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." }, { "signal_id": "A3_preinstall_or_prepack_with_download", "deduct": 30, "hard_block": true, "evidence": "preinstall: npm config set registry https://registry.npmjs.org/", "rationale": "Scripts that fetch and execute remote content during install are textbook supply-chain attack \u2014 outright BLOCK." } ], "metadata": { "latest_version": "2.7.0", "last_release_at": "2026-04-23T07:48:05.442Z", "days_since_release": 36, "maintainer_count": 3, "repository_url": "git+https://github.com/microsoft/azure-devops-mcp.git", "license": "MIT", "created_at": "2025-06-12T13:58:17.167Z", "days_since_created": 351, "dep_count": 10, "unpinned_classification": { "caret": 9, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 1743 }, "scanned_at": "2026-05-30T05:45:24Z", "rubric_version": "0.1.0", "error": null }, { "package": "@blacksandscyber/mcp-server-shield", "version": "0.3.0", "verdict": "WARN", "score": 70, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 34 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.3.0", "last_release_at": "2026-04-25T23:10:02.863Z", "days_since_release": 34, "maintainer_count": 1, "repository_url": null, "license": "MIT", "created_at": "2026-04-25T23:10:02.623Z", "days_since_created": 34, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:25Z", "rubric_version": "0.1.0", "error": null }, { "package": "@blade-ai/agent-sdk", "version": "1.0.8", "verdict": "WARN", "score": 78, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "26 caret + 0 tilde / 26 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.0.8", "last_release_at": "2026-04-23T12:27:47.977Z", "days_since_release": 36, "maintainer_count": 1, "repository_url": null, "license": "MIT", "created_at": "2026-02-08T04:19:53.203Z", "days_since_created": 111, "dep_count": 26, "unpinned_classification": { "caret": 26, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:27Z", "rubric_version": "0.1.0", "error": null }, { "package": "@brna/mcp", "version": "0.1.14", "verdict": "WARN", "score": 78, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 27 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "0.1.14", "last_release_at": "2026-05-17T04:03:24.667Z", "days_since_release": 13, "maintainer_count": 1, "repository_url": "git+https://github.com/leolin310148/brna.git", "license": null, "created_at": "2026-05-02T15:02:34.214Z", "days_since_created": 27, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 13, "github_stars": 1 }, "scanned_at": "2026-05-30T05:45:29Z", "rubric_version": "0.1.0", "error": null }, { "package": "@browserstack/mcp-server", "version": "1.2.20", "verdict": "PASS", "score": 93, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "13 caret + 0 tilde / 13 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.2.20", "last_release_at": "2026-05-29T14:57:30.081Z", "days_since_release": 0, "maintainer_count": 1, "repository_url": "git+https://github.com/browserstack/mcp-server.git", "license": "ISC", "created_at": "2025-04-22T13:54:50.645Z", "days_since_created": 402, "dep_count": 13, "unpinned_classification": { "caret": 13, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 140 }, "scanned_at": "2026-05-30T05:45:31Z", "rubric_version": "0.1.0", "error": null }, { "package": "@claude-flow/cli-core", "version": "3.7.0-alpha.5", "verdict": "PASS", "score": 88, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 24 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "3.7.0-alpha.5", "last_release_at": "2026-05-05T16:53:21.045Z", "days_since_release": 24, "maintainer_count": 1, "repository_url": "git+https://github.com/ruvnet/ruflo.git", "license": "MIT", "created_at": "2026-05-05T16:25:00.834Z", "days_since_created": 24, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 56450 }, "scanned_at": "2026-05-30T05:45:33Z", "rubric_version": "0.1.0", "error": null }, { "package": "@claude-flow/mcp", "version": "3.0.0-alpha.9", "verdict": "WARN", "score": 71, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "3.0.0-alpha.9", "last_release_at": "2026-05-09T18:31:20.248Z", "days_since_release": 20, "maintainer_count": 1, "repository_url": null, "license": null, "created_at": "2026-01-06T21:45:54.593Z", "days_since_created": 143, "dep_count": 5, "unpinned_classification": { "caret": 5, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:34Z", "rubric_version": "0.1.0", "error": null }, { "package": "@clipboard-health/ai-rules", "version": "2.22.2", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "2.22.2", "last_release_at": "2026-05-30T00:45:14.728Z", "days_since_release": 0, "maintainer_count": 4, "repository_url": "git+https://github.com/ClipboardHealth/core-utils.git", "license": "MIT", "created_at": "2025-10-13T18:06:13.581Z", "days_since_created": 228, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 66 }, "scanned_at": "2026-05-30T05:45:35Z", "rubric_version": "0.1.0", "error": null }, { "package": "@coinbase/cds-mcp-server", "version": "9.1.3", "verdict": "PASS", "score": 90, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "9.1.3", "last_release_at": "2026-05-28T17:18:24.362Z", "days_since_release": 1, "maintainer_count": 2, "repository_url": "git+ssh://git@github.com/coinbase/cds.git", "license": null, "created_at": "2025-09-30T17:28:47.014Z", "days_since_created": 241, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 477 }, "scanned_at": "2026-05-30T05:45:37Z", "rubric_version": "0.1.0", "error": null }, { "package": "@contractspec/lib.ai-agent", "version": "8.0.17", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "8.0.17", "last_release_at": "2026-04-30T19:36:42.048Z", "days_since_release": 29, "maintainer_count": 1, "repository_url": "git+https://github.com/lssm-tech/contractspec.git", "license": "MIT", "created_at": "2025-12-28T13:31:35.247Z", "days_since_created": 152, "dep_count": 14, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 10 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:39Z", "rubric_version": "0.1.0", "error": null }, { "package": "@currents/mcp", "version": "2.3.2", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "2.3.2", "last_release_at": "2026-05-27T21:52:03.173Z", "days_since_release": 2, "maintainer_count": 3, "repository_url": "git+https://github.com/currents-dev/currents-mcp.git", "license": "Apache-2.0", "created_at": "2025-04-03T22:41:14.323Z", "days_since_created": 421, "dep_count": 5, "unpinned_classification": { "caret": 5, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 17 }, "scanned_at": "2026-05-30T05:45:41Z", "rubric_version": "0.1.0", "error": null }, { "package": "@dcp-ai/anthropic-mcp", "version": "2.0.0", "verdict": "PASS", "score": 88, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 41 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "2.0.0", "last_release_at": "2026-04-18T08:23:59.213Z", "days_since_release": 41, "maintainer_count": 1, "repository_url": "git+https://github.com/dcp-ai-protocol/dcp-ai.git", "license": "Apache-2.0", "created_at": "2026-04-18T08:23:58.983Z", "days_since_created": 41, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 6, "github_stars": 21 }, "scanned_at": "2026-05-30T05:45:43Z", "rubric_version": "0.1.0", "error": null }, { "package": "@drawio/mcp", "version": "1.2.7", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "1.2.7", "last_release_at": "2026-05-11T08:12:48.569Z", "days_since_release": 18, "maintainer_count": 1, "repository_url": "git+https://github.com/jgraph/drawio-mcp.git", "license": "Apache-2.0", "created_at": "2026-02-03T14:52:52.542Z", "days_since_created": 115, "dep_count": 2, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 4076 }, "scanned_at": "2026-05-30T05:45:45Z", "rubric_version": "0.1.0", "error": null }, { "package": "@dynatrace-oss/dynatrace-mcp-server", "version": "1.8.6", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "1.8.6", "last_release_at": "2026-05-29T07:19:15.512Z", "days_since_release": 0, "maintainer_count": 5, "repository_url": "git+https://github.com/dynatrace-oss/dynatrace-mcp.git", "license": "MIT", "created_at": "2025-04-30T15:56:17.213Z", "days_since_created": 394, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 115 }, "scanned_at": "2026-05-30T05:45:46Z", "rubric_version": "0.1.0", "error": null }, { "package": "@elliotding/ai-agent-mcp-dev", "version": "0.2.21-dev.1", "verdict": "WARN", "score": 70, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 21 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "12 caret + 0 tilde / 13 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.2.21-dev.1", "last_release_at": "2026-05-08T06:32:03.699Z", "days_since_release": 21, "maintainer_count": 1, "repository_url": null, "license": "MIT", "created_at": "2026-05-08T06:32:03.458Z", "days_since_created": 21, "dep_count": 13, "unpinned_classification": { "caret": 12, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:48Z", "rubric_version": "0.1.0", "error": null }, { "package": "@eslint/mcp", "version": "0.3.6", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.3.6", "last_release_at": "2026-05-29T20:11:02.508Z", "days_since_release": 0, "maintainer_count": 2, "repository_url": "git+https://github.com/eslint/rewrite.git", "license": "Apache-2.0", "created_at": "2025-05-14T18:19:12.667Z", "days_since_created": 380, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 337 }, "scanned_at": "2026-05-30T05:45:50Z", "rubric_version": "0.1.0", "error": null }, { "package": "@gabriel3615/claude-stock-analysis-mcp", "version": "1.5.6", "verdict": "WARN", "score": 72, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "267 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "16 caret + 0 tilde / 16 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.5.6", "last_release_at": "2025-09-05T05:03:00.687Z", "days_since_release": 267, "maintainer_count": 1, "repository_url": null, "license": "MIT", "created_at": "2025-03-10T01:16:52.447Z", "days_since_created": 446, "dep_count": 16, "unpinned_classification": { "caret": 16, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:52Z", "rubric_version": "0.1.0", "error": null }, { "package": "@genkit-ai/anthropic", "version": "0.3.0", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.3.0", "last_release_at": "2026-05-28T14:30:59.038Z", "days_since_release": 1, "maintainer_count": 4, "repository_url": "git+https://github.com/genkit-ai/genkit.git", "license": "Apache-2.0", "created_at": "2026-01-22T21:35:46.720Z", "days_since_created": 127, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 6068 }, "scanned_at": "2026-05-30T05:45:53Z", "rubric_version": "0.1.0", "error": null }, { "package": "@gongrzhe/server-gmail-autoauth-mcp", "version": "1.1.11", "verdict": "PASS", "score": 87, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "297 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "10 caret + 0 tilde / 10 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.1.11", "last_release_at": "2025-08-06T01:16:22.211Z", "days_since_release": 297, "maintainer_count": 1, "repository_url": "git+https://github.com/gongrzhe/server-gmail-autoauth-mcp.git", "license": "ISC", "created_at": "2024-12-26T02:50:16.628Z", "days_since_created": 520, "dep_count": 10, "unpinned_classification": { "caret": 10, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:45:55Z", "rubric_version": "0.1.0", "error": null }, { "package": "@google/genai", "version": "2.7.0", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "2.7.0", "last_release_at": "2026-05-28T18:17:28.386Z", "days_since_release": 1, "maintainer_count": 3, "repository_url": "git+https://github.com/googleapis/js-genai.git", "license": "Apache-2.0", "created_at": "2025-03-11T00:45:26.597Z", "days_since_created": 445, "dep_count": 4, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 1613 }, "scanned_at": "2026-05-30T05:45:56Z", "rubric_version": "0.1.0", "error": null }, { "package": "@google/generative-ai", "version": "0.24.1", "verdict": "WARN", "score": 62, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "395 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "B5_repo_archived", "deduct": 20, "hard_block": false, "evidence": "GitHub repo is archived", "rationale": "GitHub-archived repo means maintainer has explicitly declared they will not accept further fixes \u2014 installing is consciously accepting an end-of-life dependency." } ], "metadata": { "latest_version": "0.24.1", "last_release_at": "2025-04-29T17:48:21.897Z", "days_since_release": 395, "maintainer_count": 3, "repository_url": "git+https://github.com/google/generative-ai-js.git", "license": "Apache-2.0", "created_at": "2023-12-12T21:01:25.829Z", "days_since_created": 899, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 178, "github_stars": 1238 }, "scanned_at": "2026-05-30T05:45:58Z", "rubric_version": "0.1.0", "error": null }, { "package": "@grackle-ai/powerline", "version": "0.134.0", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "0.134.0", "last_release_at": "2026-05-30T01:06:59.334Z", "days_since_release": 0, "maintainer_count": 1, "repository_url": "git+https://github.com/nick-pape/grackle.git", "license": "MIT", "created_at": "2026-03-08T05:58:39.668Z", "days_since_created": 82, "dep_count": 13, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 9 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 15 }, "scanned_at": "2026-05-30T05:45:59Z", "rubric_version": "0.1.0", "error": null }, { "package": "@heroku/mcp-server", "version": "1.2.2", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "8 caret + 0 tilde / 8 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.2.2", "last_release_at": "2026-04-22T15:28:56.521Z", "days_since_release": 37, "maintainer_count": 166, "repository_url": "git+https://github.com/heroku/heroku-mcp-server.git", "license": "Apache-2.0", "created_at": "2025-04-07T17:32:26.286Z", "days_since_created": 417, "dep_count": 8, "unpinned_classification": { "caret": 8, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 5, "github_stars": 77 }, "scanned_at": "2026-05-30T05:46:01Z", "rubric_version": "0.1.0", "error": null }, { "package": "@hisma/server-puppeteer", "version": "0.6.5", "verdict": "BLOCK", "score": 50, "self_disclosure": false, "triggered_signals": [ { "signal_id": "C4_name_typosquats_official", "deduct": 40, "hard_block": true, "evidence": "short-name exact match with official 'server-puppeteer'", "rationale": "Package name within edit-distance 2 of an @modelcontextprotocol/* official server (or other known official MCP brand) is a textbook supply-chain attack." }, { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "335 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "0.6.5", "last_release_at": "2025-06-28T08:08:01.028Z", "days_since_release": 335, "maintainer_count": 1, "repository_url": "git+https://github.com/Hisma/servers-archived.git", "license": "MIT", "created_at": "2025-06-28T06:36:41.581Z", "days_since_created": 335, "dep_count": 2, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 335, "github_stars": 1 }, "scanned_at": "2026-05-30T05:46:03Z", "rubric_version": "0.1.0", "error": null }, { "package": "@hovecapital/read-only-mysql-mcp-server", "version": "0.1.1", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "0.1.1", "last_release_at": "2026-02-17T16:39:32.961Z", "days_since_release": 101, "maintainer_count": 1, "repository_url": "git+https://github.com/hovecapital/read-only-local-mysql-mcp-server.git", "license": "MIT", "created_at": "2025-07-21T20:03:10.262Z", "days_since_created": 312, "dep_count": 2, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 58, "github_stars": 6 }, "scanned_at": "2026-05-30T05:46:04Z", "rubric_version": "0.1.0", "error": null }, { "package": "@hubspot/mcp-server", "version": "0.4.0", "verdict": "WARN", "score": 79, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "345 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.4.0", "last_release_at": "2025-06-18T16:19:19.753Z", "days_since_release": 345, "maintainer_count": 47, "repository_url": null, "license": "MIT", "created_at": "2025-04-25T21:20:26.115Z", "days_since_created": 399, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:46:07Z", "rubric_version": "0.1.0", "error": null }, { "package": "@huggingface/inference", "version": "4.13.18", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "4.13.18", "last_release_at": "2026-05-21T13:17:23.713Z", "days_since_release": 8, "maintainer_count": 5, "repository_url": "git+https://github.com/huggingface/huggingface.js.git", "license": "MIT", "created_at": "2023-02-23T21:02:07.458Z", "days_since_created": 1191, "dep_count": 2, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:46:08Z", "rubric_version": "0.1.0", "error": null }, { "package": "@ibh/tube", "version": "0.3.22", "verdict": "PASS", "score": 85, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 29 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "17 caret + 0 tilde / 17 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.3.22", "last_release_at": "2026-05-14T09:38:15.342Z", "days_since_release": 15, "maintainer_count": 1, "repository_url": "git+https://github.com/BenHakimIlyass/tube.git", "license": "MIT", "created_at": "2026-04-30T20:36:57.989Z", "days_since_created": 29, "dep_count": 17, "unpinned_classification": { "caret": 17, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:46:09Z", "rubric_version": "0.1.0", "error": null }, { "package": "@iflow-mcp/eoinjordan-gbstudio-claude-mcp", "version": "1.0.6", "verdict": "PASS", "score": 89, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 52 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.0.6", "last_release_at": "2026-04-08T02:36:00.594Z", "days_since_release": 52, "maintainer_count": 2, "repository_url": "git+https://github.com/eoinjordan/gb-studio-agent.git", "license": "MIT", "created_at": "2026-04-08T02:36:00.265Z", "days_since_created": 52, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 108, "github_stars": 10 }, "scanned_at": "2026-05-30T05:46:12Z", "rubric_version": "0.1.0", "error": null }, { "package": "@j4flmao/go_blender_mcp", "version": "0.1.0", "verdict": "WARN", "score": 63, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 58 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A2_postinstall_script", "deduct": 25, "hard_block": false, "evidence": "postinstall: node scripts/postinstall.js", "rationale": "Lifecycle scripts run arbitrary code at install time on every developer machine. MCPwn-class vulnerabilities used this surface." } ], "metadata": { "latest_version": "0.1.0", "last_release_at": "2026-04-01T09:48:47.728Z", "days_since_release": 58, "maintainer_count": 1, "repository_url": "git+https://github.com/j4flmao/go_blender_mcp.git", "license": "MIT", "created_at": "2026-04-01T09:48:47.104Z", "days_since_created": 58, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 28, "github_stars": 4 }, "scanned_at": "2026-05-30T05:46:14Z", "rubric_version": "0.1.0", "error": null }, { "package": "@jawnty/agentdesk-mcp", "version": "0.1.4", "verdict": "WARN", "score": 73, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 43 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.1.4", "last_release_at": "2026-04-16T19:01:01.477Z", "days_since_release": 43, "maintainer_count": 1, "repository_url": null, "license": "ISC", "created_at": "2026-04-16T16:51:51.045Z", "days_since_created": 43, "dep_count": 2, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:46:17Z", "rubric_version": "0.1.0", "error": null }, { "package": "@jsonresume/jsonresume-mcp", "version": "0.2.0", "verdict": "WARN", "score": 57, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "451 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "0.2.0", "last_release_at": "2025-03-04T12:50:03.975Z", "days_since_release": 451, "maintainer_count": 3, "repository_url": null, "license": null, "created_at": "2025-03-04T11:43:58.500Z", "days_since_created": 451, "dep_count": 4, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:46:18Z", "rubric_version": "0.1.0", "error": null }, { "package": "@jsonresume/mcp", "version": "3.0.3", "verdict": "WARN", "score": 57, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "422 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "3.0.3", "last_release_at": "2025-04-02T13:17:20.735Z", "days_since_release": 422, "maintainer_count": 3, "repository_url": null, "license": null, "created_at": "2025-03-04T14:52:17.222Z", "days_since_created": 451, "dep_count": 5, "unpinned_classification": { "caret": 5, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:46:19Z", "rubric_version": "0.1.0", "error": null }, { "package": "@kenkaiiii/queen-mcp", "version": "3.29.0", "verdict": "WARN", "score": 75, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "243 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "3.29.0", "last_release_at": "2025-09-29T04:51:30.278Z", "days_since_release": 243, "maintainer_count": 1, "repository_url": null, "license": "MIT", "created_at": "2025-09-09T15:32:36.519Z", "days_since_created": 262, "dep_count": 4, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:46:21Z", "rubric_version": "0.1.0", "error": null }, { "package": "@langchain/anthropic", "version": "1.4.0", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "1.4.0", "last_release_at": "2026-05-18T23:45:45.879Z", "days_since_release": 11, "maintainer_count": 13, "repository_url": "git+ssh://git@github.com/langchain-ai/langchainjs.git", "license": "MIT", "created_at": "2023-11-22T19:15:49.166Z", "days_since_created": 919, "dep_count": 2, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 17733 }, "scanned_at": "2026-05-30T05:46:23Z", "rubric_version": "0.1.0", "error": null }, { "package": "@langchain/core", "version": "1.1.48", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 7 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.1.48", "last_release_at": "2026-05-21T22:00:46.828Z", "days_since_release": 8, "maintainer_count": 13, "repository_url": "git+ssh://git@github.com/langchain-ai/langchainjs.git", "license": "MIT", "created_at": "2023-11-22T23:00:08.849Z", "days_since_created": 919, "dep_count": 7, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 17733 }, "scanned_at": "2026-05-30T05:46:24Z", "rubric_version": "0.1.0", "error": null }, { "package": "@langchain/mcp-adapters", "version": "1.1.3", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "1.1.3", "last_release_at": "2026-02-12T03:09:33.622Z", "days_since_release": 107, "maintainer_count": 13, "repository_url": "git+ssh://git@github.com/langchain-ai/langchainjs.git", "license": "MIT", "created_at": "2025-03-13T15:30:49.589Z", "days_since_created": 442, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 17733 }, "scanned_at": "2026-05-30T05:46:25Z", "rubric_version": "0.1.0", "error": null }, { "package": "@langchain/openai", "version": "1.4.7", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "1.4.7", "last_release_at": "2026-05-21T22:00:44.094Z", "days_since_release": 8, "maintainer_count": 13, "repository_url": "git+ssh://git@github.com/langchain-ai/langchainjs.git", "license": "MIT", "created_at": "2023-11-23T02:53:41.333Z", "days_since_created": 919, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 17733 }, "scanned_at": "2026-05-30T05:46:27Z", "rubric_version": "0.1.0", "error": null }, { "package": "@laskarks/mcp-rag-node", "version": "1.1.1", "verdict": "PASS", "score": 93, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.1.1", "last_release_at": "2026-03-08T07:24:58.249Z", "days_since_release": 82, "maintainer_count": 1, "repository_url": "git+https://github.com/laskar-ksatria/rag-mcp-nodejs.git", "license": "ISC", "created_at": "2026-03-08T06:22:40.512Z", "days_since_created": 82, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 82, "github_stars": 0 }, "scanned_at": "2026-05-30T05:46:28Z", "rubric_version": "0.1.0", "error": null }, { "package": "@lleverage-ai/agent-threads", "version": "0.1.0-alpha.1", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "0.1.0-alpha.1", "last_release_at": "2026-02-28T00:06:36.321Z", "days_since_release": 91, "maintainer_count": 1, "repository_url": "git+https://github.com/lleverage-ai/agent-sdk.git", "license": "MIT", "created_at": "2026-02-28T00:06:36.056Z", "days_since_created": 91, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 1, "github_stars": 7 }, "scanned_at": "2026-05-30T05:46:29Z", "rubric_version": "0.1.0", "error": null }, { "package": "@mapbox/mcp-server", "version": "0.11.0", "verdict": "WARN", "score": 72, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "14 caret + 0 tilde / 14 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." }, { "signal_id": "A2_postinstall_script", "deduct": 25, "hard_block": false, "evidence": "postinstall: patch-package || (cd ../../.. && node ./node_modules/patch-package/index.js --patch-dir ./node_modules/@mapbox/mcp-serve", "rationale": "Lifecycle scripts run arbitrary code at install time on every developer machine. MCPwn-class vulnerabilities used this surface." } ], "metadata": { "latest_version": "0.11.0", "last_release_at": "2026-04-01T23:41:48.174Z", "days_since_release": 58, "maintainer_count": 28, "repository_url": "git+https://github.com/mapbox/mcp-server.git", "license": "MIT", "created_at": "2025-06-12T08:00:52.574Z", "days_since_created": 351, "dep_count": 14, "unpinned_classification": { "caret": 14, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 339 }, "scanned_at": "2026-05-30T05:46:31Z", "rubric_version": "0.1.0", "error": null }, { "package": "@maz-ui/mcp", "version": "4.9.3", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "4.9.3", "last_release_at": "2026-04-23T00:29:49.286Z", "days_since_release": 37, "maintainer_count": 1, "repository_url": "git+https://github.com/LouisMazel/maz-ui.git", "license": "MIT", "created_at": "2025-08-06T00:03:03.966Z", "days_since_created": 297, "dep_count": 3, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 4, "github_stars": 562 }, "scanned_at": "2026-05-30T05:46:33Z", "rubric_version": "0.1.0", "error": null }, { "package": "@mcp-abap-adt/anthropic-llm", "version": "17.0.0", "verdict": "PASS", "score": 88, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 35 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "17.0.0", "last_release_at": "2026-05-29T16:28:22.262Z", "days_since_release": 0, "maintainer_count": 1, "repository_url": "git+https://github.com/fr0ster/llm-agent.git", "license": "MIT", "created_at": "2026-04-24T13:03:47.299Z", "days_since_created": 35, "dep_count": 2, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 11 }, "scanned_at": "2026-05-30T05:46:34Z", "rubric_version": "0.1.0", "error": null }, { "package": "@mcp-use/modelcontextprotocol-sdk", "version": "1.24.3-mcp-use.4", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "15 caret + 0 tilde / 15 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.24.3-mcp-use.4", "last_release_at": "2025-12-10T11:08:20.902Z", "days_since_release": 170, "maintainer_count": 3, "repository_url": "git+https://github.com/modelcontextprotocol/typescript-sdk.git", "license": "MIT", "created_at": "2025-12-08T09:24:20.488Z", "days_since_created": 172, "dep_count": 15, "unpinned_classification": { "caret": 15, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 12570 }, "scanned_at": "2026-05-30T05:46:36Z", "rubric_version": "0.1.0", "error": null }, { "package": "@mdavieds/mcp-tmp-files", "version": "1.1.2", "verdict": "WARN", "score": 73, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 8 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "1.1.2", "last_release_at": "2026-05-27T09:34:10.074Z", "days_since_release": 2, "maintainer_count": 1, "repository_url": null, "license": "ISC", "created_at": "2026-05-21T13:34:03.393Z", "days_since_created": 8, "dep_count": 2, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:46:38Z", "rubric_version": "0.1.0", "error": null }, { "package": "@miller-tech/uap", "version": "1.22.0", "verdict": "WARN", "score": 68, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "15 caret + 0 tilde / 15 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." }, { "signal_id": "A2_postinstall_script", "deduct": 25, "hard_block": false, "evidence": "postinstall: echo '\n\u2728 Run: npx @miller-tech/uap init --interactive'", "rationale": "Lifecycle scripts run arbitrary code at install time on every developer machine. MCPwn-class vulnerabilities used this surface." } ], "metadata": { "latest_version": "1.22.0", "last_release_at": "2026-05-22T12:44:17.608Z", "days_since_release": 7, "maintainer_count": 1, "repository_url": "git+https://github.com/DammianMiller/universal-agent-protocol.git", "license": "MIT", "created_at": "2026-03-17T04:48:43.327Z", "days_since_created": 74, "dep_count": 15, "unpinned_classification": { "caret": 15, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 3, "github_stars": 1 }, "scanned_at": "2026-05-30T05:46:40Z", "rubric_version": "0.1.0", "error": null }, { "package": "@mistralai/mistralai", "version": "2.2.5", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "2.2.5", "last_release_at": "2026-05-25T08:35:35.483Z", "days_since_release": 4, "maintainer_count": 1, "repository_url": "git+https://github.com/mistralai/client-ts.git", "license": "Apache-2.0", "created_at": "2023-12-07T14:48:55.500Z", "days_since_created": 904, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 143 }, "scanned_at": "2026-05-30T05:46:42Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/client", "version": "2.0.0-alpha.2", "verdict": "PASS", "score": 89, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 58 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "2.0.0-alpha.2", "last_release_at": "2026-04-01T16:44:02.400Z", "days_since_release": 58, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/typescript-sdk.git", "license": "MIT", "created_at": "2026-04-01T14:46:13.598Z", "days_since_created": 58, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 12570 }, "scanned_at": "2026-05-30T05:46:43Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/conformance", "version": "0.1.16", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "9 caret + 0 tilde / 9 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.1.16", "last_release_at": "2026-03-30T20:26:52.731Z", "days_since_release": 60, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/conformance.git", "license": "MIT", "created_at": "2025-11-11T13:52:03.521Z", "days_since_created": 199, "dep_count": 9, "unpinned_classification": { "caret": 9, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 68 }, "scanned_at": "2026-05-30T05:46:45Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/create-server", "version": "0.3.1", "verdict": "WARN", "score": 64, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "550 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "5 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.3.1", "last_release_at": "2024-11-25T18:39:48.975Z", "days_since_release": 550, "maintainer_count": 6, "repository_url": null, "license": "MIT", "created_at": "2024-11-18T15:02:35.404Z", "days_since_created": 557, "dep_count": 6, "unpinned_classification": { "caret": 5, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:46:47Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/express", "version": "2.0.0-alpha.2", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 58 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "2.0.0-alpha.2", "last_release_at": "2026-04-01T16:43:58.802Z", "days_since_release": 58, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/typescript-sdk.git", "license": "MIT", "created_at": "2026-04-01T14:46:10.228Z", "days_since_created": 58, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 12570 }, "scanned_at": "2026-05-30T05:46:48Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/ext-apps", "version": "1.7.2", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "1.7.2", "last_release_at": "2026-05-15T18:03:50.692Z", "days_since_release": 14, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/ext-apps.git", "license": "MIT", "created_at": "2025-12-08T20:51:59.601Z", "days_since_created": 172, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 3, "github_stars": 2339 }, "scanned_at": "2026-05-30T05:46:50Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/fastify", "version": "2.0.0-alpha.2", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 58 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "2.0.0-alpha.2", "last_release_at": "2026-04-01T16:43:59.047Z", "days_since_release": 58, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/typescript-sdk.git", "license": "MIT", "created_at": "2026-04-01T14:46:11.331Z", "days_since_created": 58, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 12570 }, "scanned_at": "2026-05-30T05:46:51Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/hono", "version": "2.0.0-alpha.2", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 58 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "2.0.0-alpha.2", "last_release_at": "2026-04-01T16:43:58.718Z", "days_since_release": 58, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/typescript-sdk.git", "license": "MIT", "created_at": "2026-04-01T14:46:10.805Z", "days_since_created": 58, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 12570 }, "scanned_at": "2026-05-30T05:46:53Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/inspector", "version": "0.21.2", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "11 caret + 0 tilde / 11 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.21.2", "last_release_at": "2026-04-14T21:01:18.421Z", "days_since_release": 45, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/inspector.git", "license": "SEE LICENSE IN LICENSE", "created_at": "2024-11-19T19:27:34.382Z", "days_since_created": 556, "dep_count": 11, "unpinned_classification": { "caret": 11, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 9930 }, "scanned_at": "2026-05-30T05:46:55Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/inspector-cli", "version": "0.21.2", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.21.2", "last_release_at": "2026-04-14T21:00:59.001Z", "days_since_release": 45, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/inspector.git", "license": "SEE LICENSE IN LICENSE", "created_at": "2025-04-17T20:11:10.346Z", "days_since_created": 407, "dep_count": 4, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 9930 }, "scanned_at": "2026-05-30T05:46:57Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/inspector-client", "version": "0.21.2", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "27 caret + 0 tilde / 27 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.21.2", "last_release_at": "2026-04-14T21:00:52.731Z", "days_since_release": 45, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/inspector.git", "license": "SEE LICENSE IN LICENSE", "created_at": "2024-11-19T21:11:41.861Z", "days_since_created": 556, "dep_count": 27, "unpinned_classification": { "caret": 27, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 9930 }, "scanned_at": "2026-05-30T05:46:58Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/inspector-server", "version": "0.21.2", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "9 caret + 0 tilde / 9 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.21.2", "last_release_at": "2026-04-14T21:00:55.902Z", "days_since_release": 45, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/inspector.git", "license": "SEE LICENSE IN LICENSE", "created_at": "2024-11-19T21:11:48.366Z", "days_since_created": 556, "dep_count": 9, "unpinned_classification": { "caret": 9, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 9930 }, "scanned_at": "2026-05-30T05:47:00Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/node", "version": "2.0.0-alpha.2", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 58 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "2.0.0-alpha.2", "last_release_at": "2026-04-01T16:44:17.522Z", "days_since_release": 58, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/typescript-sdk.git", "license": "MIT", "created_at": "2026-04-01T14:46:27.930Z", "days_since_created": 58, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 12570 }, "scanned_at": "2026-05-30T05:47:02Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/sdk", "version": "1.29.0", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "17 caret + 0 tilde / 17 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.29.0", "last_release_at": "2026-03-30T16:50:42.718Z", "days_since_release": 60, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/typescript-sdk.git", "license": "MIT", "created_at": "2024-11-11T15:53:15.703Z", "days_since_created": 564, "dep_count": 17, "unpinned_classification": { "caret": 17, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 12570 }, "scanned_at": "2026-05-30T05:47:03Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/server", "version": "2.0.0-alpha.2", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 58 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "2.0.0-alpha.2", "last_release_at": "2026-04-01T16:44:06.159Z", "days_since_release": 58, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/typescript-sdk.git", "license": "MIT", "created_at": "2026-04-01T14:46:14.225Z", "days_since_created": 58, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 12570 }, "scanned_at": "2026-05-30T05:47:05Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/server-everything", "version": "2026.1.26", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "2026.1.26", "last_release_at": "2026-01-27T09:25:57.675Z", "days_since_release": 122, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/servers.git", "license": "MIT", "created_at": "2024-11-19T14:14:26.705Z", "days_since_created": 556, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 86462 }, "scanned_at": "2026-05-30T05:47:06Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/server-filesystem", "version": "2026.1.14", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "2026.1.14", "last_release_at": "2026-01-14T16:03:10.655Z", "days_since_release": 135, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/servers.git", "license": "MIT", "created_at": "2024-11-21T19:14:54.330Z", "days_since_created": 554, "dep_count": 5, "unpinned_classification": { "caret": 5, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 86462 }, "scanned_at": "2026-05-30T05:47:08Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/server-gdrive", "version": "2025.1.14", "verdict": "WARN", "score": 67, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "501 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "2025.1.14", "last_release_at": "2025-01-14T01:44:34.879Z", "days_since_release": 501, "maintainer_count": 6, "repository_url": null, "license": "MIT", "created_at": "2024-11-19T14:14:33.274Z", "days_since_created": 556, "dep_count": 3, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:09Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/server-github", "version": "2025.4.8", "verdict": "WARN", "score": 64, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "416 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 7 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "2025.4.8", "last_release_at": "2025-04-08T10:08:59.978Z", "days_since_release": 416, "maintainer_count": 6, "repository_url": null, "license": "MIT", "created_at": "2024-11-21T19:15:10.035Z", "days_since_created": 554, "dep_count": 7, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:10Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/server-memory", "version": "2026.1.26", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "2026.1.26", "last_release_at": "2026-01-27T09:25:54.132Z", "days_since_release": 122, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/servers.git", "license": "MIT", "created_at": "2024-11-21T19:15:20.357Z", "days_since_created": 554, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 86462 }, "scanned_at": "2026-05-30T05:47:11Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/server-pdf", "version": "1.7.2", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "7 caret + 0 tilde / 7 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.7.2", "last_release_at": "2026-05-15T18:04:12.969Z", "days_since_release": 14, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/ext-apps.git", "license": "MIT", "created_at": "2026-01-15T20:51:02.649Z", "days_since_created": 134, "dep_count": 7, "unpinned_classification": { "caret": 7, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 3, "github_stars": 2339 }, "scanned_at": "2026-05-30T05:47:13Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/server-postgres", "version": "0.6.2", "verdict": "WARN", "score": 67, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "541 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.6.2", "last_release_at": "2024-12-04T16:14:51.820Z", "days_since_release": 541, "maintainer_count": 6, "repository_url": null, "license": "MIT", "created_at": "2024-11-19T14:14:36.513Z", "days_since_created": 556, "dep_count": 2, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:14Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/server-puppeteer", "version": "2025.5.12", "verdict": "WARN", "score": 67, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "382 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "2025.5.12", "last_release_at": "2025-05-12T21:29:35.151Z", "days_since_release": 382, "maintainer_count": 6, "repository_url": null, "license": "MIT", "created_at": "2024-11-19T14:14:39.500Z", "days_since_created": 556, "dep_count": 2, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:16Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/server-sequential-thinking", "version": "2025.12.18", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "2025.12.18", "last_release_at": "2025-12-18T16:05:40.713Z", "days_since_release": 162, "maintainer_count": 6, "repository_url": "git+https://github.com/modelcontextprotocol/servers.git", "license": "MIT", "created_at": "2024-12-03T13:25:34.621Z", "days_since_created": 542, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 86462 }, "scanned_at": "2026-05-30T05:47:17Z", "rubric_version": "0.1.0", "error": null }, { "package": "@modelcontextprotocol/server-slack", "version": "2025.4.25", "verdict": "WARN", "score": 67, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "399 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "2025.4.25", "last_release_at": "2025-04-25T08:27:22.626Z", "days_since_release": 399, "maintainer_count": 6, "repository_url": null, "license": "MIT", "created_at": "2024-11-19T14:14:42.351Z", "days_since_created": 556, "dep_count": 1, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:18Z", "rubric_version": "0.1.0", "error": null }, { "package": "@motiffcom/motiff-mcp-server", "version": "0.0.19", "verdict": "WARN", "score": 79, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "340 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.0.19", "last_release_at": "2025-06-23T08:07:35.140Z", "days_since_release": 340, "maintainer_count": 2, "repository_url": null, "license": "MIT License", "created_at": "2025-04-16T06:33:06.683Z", "days_since_created": 408, "dep_count": 3, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:19Z", "rubric_version": "0.1.0", "error": null }, { "package": "@multiplayer-app/ai-agent-db", "version": "0.1.0-beta.91", "verdict": "PASS", "score": 85, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.1.0-beta.91", "last_release_at": "2026-05-29T10:00:52.740Z", "days_since_release": 0, "maintainer_count": 5, "repository_url": null, "license": "MIT", "created_at": "2026-01-22T04:26:42.529Z", "days_since_created": 128, "dep_count": 1, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:21Z", "rubric_version": "0.1.0", "error": null }, { "package": "@multiplayer-app/ai-agent-mongo", "version": "0.1.0-beta.91", "verdict": "PASS", "score": 85, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.1.0-beta.91", "last_release_at": "2026-05-29T10:00:57.079Z", "days_since_release": 0, "maintainer_count": 5, "repository_url": null, "license": "MIT", "created_at": "2026-01-22T04:26:47.208Z", "days_since_created": 128, "dep_count": 4, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:23Z", "rubric_version": "0.1.0", "error": null }, { "package": "@multiplayer-app/ai-agent-node", "version": "0.1.0-beta.91", "verdict": "PASS", "score": 85, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.1.0-beta.91", "last_release_at": "2026-05-29T10:00:54.961Z", "days_since_release": 0, "maintainer_count": 5, "repository_url": null, "license": "MIT", "created_at": "2026-01-22T04:26:45.270Z", "days_since_created": 128, "dep_count": 17, "unpinned_classification": { "caret": 5, "tilde": 0, "star": 0, "latest": 0, "pinned": 12 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:24Z", "rubric_version": "0.1.0", "error": null }, { "package": "@multiplayer-app/ai-agent-types", "version": "0.1.0-beta.91", "verdict": "PASS", "score": 85, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.1.0-beta.91", "last_release_at": "2026-05-29T10:00:50.763Z", "days_since_release": 0, "maintainer_count": 5, "repository_url": null, "license": "MIT", "created_at": "2025-12-26T12:19:25.350Z", "days_since_created": 154, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:26Z", "rubric_version": "0.1.0", "error": null }, { "package": "@notionhq/notion-mcp-server", "version": "2.2.1", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "11 caret + 0 tilde / 12 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "2.2.1", "last_release_at": "2026-03-05T17:29:55.865Z", "days_since_release": 85, "maintainer_count": 22, "repository_url": "git+ssh://git@github.com/makenotion/notion-mcp-server.git", "license": "MIT", "created_at": "2025-04-03T20:21:35.010Z", "days_since_created": 421, "dep_count": 12, "unpinned_classification": { "caret": 11, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 2, "github_stars": 4371 }, "scanned_at": "2026-05-30T05:47:28Z", "rubric_version": "0.1.0", "error": null }, { "package": "@olaservo/mcp-interceptors", "version": "0.0.0-temp.0", "verdict": "PASS", "score": 88, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 33 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.0.0-temp.0", "last_release_at": "2026-04-27T04:23:49.078Z", "days_since_release": 33, "maintainer_count": 1, "repository_url": "git+https://github.com/modelcontextprotocol/ext-interceptors.git", "license": "Apache-2.0", "created_at": "2026-04-27T04:23:48.851Z", "days_since_created": 33, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 15, "github_stars": 15 }, "scanned_at": "2026-05-30T05:47:30Z", "rubric_version": "0.1.0", "error": null }, { "package": "@onozaty/redmine-mcp-server", "version": "1.2.0", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "1.2.0", "last_release_at": "2026-03-26T13:55:01.850Z", "days_since_release": 64, "maintainer_count": 1, "repository_url": "git+https://github.com/onozaty/redmine-mcp-server.git", "license": "MIT", "created_at": "2025-07-10T10:45:31.767Z", "days_since_created": 323, "dep_count": 2, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 64, "github_stars": 18 }, "scanned_at": "2026-05-30T05:47:32Z", "rubric_version": "0.1.0", "error": null }, { "package": "@orchestrator-claude/mcp-server", "version": "3.31.1", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "3.31.1", "last_release_at": "2026-05-23T19:07:11.171Z", "days_since_release": 6, "maintainer_count": 1, "repository_url": "git+https://github.com/orchestratorAII/orchestrator_claude.git", "license": "MIT", "created_at": "2026-01-19T22:36:43.768Z", "days_since_created": 130, "dep_count": 4, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:34Z", "rubric_version": "0.1.0", "error": null }, { "package": "@penpot/mcp", "version": "2.15.0", "verdict": "PASS", "score": 90, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "2.15.0", "last_release_at": "2026-05-12T08:53:12.620Z", "days_since_release": 17, "maintainer_count": 8, "repository_url": "git+https://github.com/penpot/penpot.git", "license": null, "created_at": "2026-03-11T11:02:00.423Z", "days_since_created": 79, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 48618 }, "scanned_at": "2026-05-30T05:47:36Z", "rubric_version": "0.1.0", "error": null }, { "package": "@phantom/mcp-server", "version": "1.2.7", "verdict": "PASS", "score": 90, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "1.2.7", "last_release_at": "2026-04-28T09:22:50.215Z", "days_since_release": 31, "maintainer_count": 3, "repository_url": "git+https://github.com/phantom/phantom-connect-sdk.git", "license": null, "created_at": "2026-02-07T19:14:55.912Z", "days_since_created": 111, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 31, "github_stars": 139 }, "scanned_at": "2026-05-30T05:47:38Z", "rubric_version": "0.1.0", "error": null }, { "package": "@playwright/mcp", "version": "0.0.75", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.0.75", "last_release_at": "2026-05-07T23:10:13.239Z", "days_since_release": 22, "maintainer_count": 4, "repository_url": "git+https://github.com/microsoft/playwright-mcp.git", "license": "Apache-2.0", "created_at": "2025-03-13T00:36:23.518Z", "days_since_created": 443, "dep_count": 2, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 2, "github_stars": 33219 }, "scanned_at": "2026-05-30T05:47:41Z", "rubric_version": "0.1.0", "error": null }, { "package": "@roeeash/vibecheck-mcp", "version": "0.1.2", "verdict": "WARN", "score": 70, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 17 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.1.2", "last_release_at": "2026-05-12T09:42:02.620Z", "days_since_release": 17, "maintainer_count": 1, "repository_url": null, "license": "MIT", "created_at": "2026-05-12T09:13:34.475Z", "days_since_created": 17, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:42Z", "rubric_version": "0.1.0", "error": null }, { "package": "@roychri/mcp-server-asana", "version": "1.8.0", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "1.8.0", "last_release_at": "2026-03-29T22:57:42.258Z", "days_since_release": 61, "maintainer_count": 1, "repository_url": "git+https://github.com/roychri/mcp-server-asana.git", "license": "MIT", "created_at": "2024-12-04T00:56:37.188Z", "days_since_created": 542, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 19, "github_stars": 139 }, "scanned_at": "2026-05-30T05:47:44Z", "rubric_version": "0.1.0", "error": null }, { "package": "@santhoshramesh/grabon-mcp", "version": "1.1.5", "verdict": "WARN", "score": 68, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "7 caret + 0 tilde / 7 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.1.5", "last_release_at": "2026-03-07T17:57:20.266Z", "days_since_release": 83, "maintainer_count": 1, "repository_url": null, "license": null, "created_at": "2026-03-07T11:56:48.488Z", "days_since_created": 83, "dep_count": 7, "unpinned_classification": { "caret": 7, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:46Z", "rubric_version": "0.1.0", "error": null }, { "package": "@sap-ux/fiori-mcp-server", "version": "0.7.2", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.7.2", "last_release_at": "2026-05-27T12:23:39.107Z", "days_since_release": 2, "maintainer_count": 5, "repository_url": "https://github.com/SAP/open-ux-tools.git", "license": "Apache-2.0", "created_at": "2025-09-02T18:00:37.755Z", "days_since_created": 269, "dep_count": 7, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 7 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 147 }, "scanned_at": "2026-05-30T05:47:48Z", "rubric_version": "0.1.0", "error": null }, { "package": "@sendbird/ai-agent-messenger-react", "version": "1.29.0", "verdict": "WARN", "score": 68, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "5 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.29.0", "last_release_at": "2026-05-27T14:56:58.232Z", "days_since_release": 2, "maintainer_count": 1, "repository_url": null, "license": null, "created_at": "2025-06-10T08:14:21.915Z", "days_since_created": 353, "dep_count": 6, "unpinned_classification": { "caret": 5, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:49Z", "rubric_version": "0.1.0", "error": null }, { "package": "@sendbird/ai-agent-messenger-react-native", "version": "1.17.0", "verdict": "WARN", "score": 71, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "1.17.0", "last_release_at": "2026-05-27T14:56:41.750Z", "days_since_release": 2, "maintainer_count": 1, "repository_url": null, "license": null, "created_at": "2025-10-24T14:46:00.969Z", "days_since_created": 217, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:47:52Z", "rubric_version": "0.1.0", "error": null }, { "package": "@sentry/mcp-server", "version": "0.35.0", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "0.35.0", "last_release_at": "2026-05-21T19:58:24.255Z", "days_since_release": 8, "maintainer_count": 1, "repository_url": "git+ssh://git@github.com/getsentry/sentry-mcp.git", "license": "FSL-1.1-ALv2", "created_at": "2025-04-24T16:11:28.178Z", "days_since_created": 400, "dep_count": 5, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 711 }, "scanned_at": "2026-05-30T05:47:54Z", "rubric_version": "0.1.0", "error": null }, { "package": "@shortcut/mcp", "version": "0.24.0", "verdict": "WARN", "score": 77, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "8 caret + 0 tilde / 8 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." }, { "signal_id": "B5_repo_archived", "deduct": 20, "hard_block": false, "evidence": "GitHub repo is archived", "rationale": "GitHub-archived repo means maintainer has explicitly declared they will not accept further fixes \u2014 installing is consciously accepting an end-of-life dependency." } ], "metadata": { "latest_version": "0.24.0", "last_release_at": "2026-03-16T19:23:15.503Z", "days_since_release": 74, "maintainer_count": 2, "repository_url": "git+https://github.com/useshortcut/mcp-server-shortcut.git", "license": "MIT", "created_at": "2025-03-18T18:21:32.984Z", "days_since_created": 437, "dep_count": 8, "unpinned_classification": { "caret": 8, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 28, "github_stars": 98 }, "scanned_at": "2026-05-30T05:47:56Z", "rubric_version": "0.1.0", "error": null }, { "package": "@shrkcrft/mcp-server", "version": "0.1.0-alpha.12", "verdict": "PASS", "score": 85, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 11 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "27 caret + 0 tilde / 27 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.1.0-alpha.12", "last_release_at": "2026-05-28T07:05:39.000Z", "days_since_release": 1, "maintainer_count": 1, "repository_url": "git+https://github.com/shrkcrft/sharkcraft.git", "license": "MIT", "created_at": "2026-05-18T12:44:29.324Z", "days_since_created": 11, "dep_count": 27, "unpinned_classification": { "caret": 27, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 1, "github_stars": 0 }, "scanned_at": "2026-05-30T05:47:58Z", "rubric_version": "0.1.0", "error": null }, { "package": "@sigmacomputing/slack-mcp-server", "version": "0.1.1", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.1.1", "last_release_at": "2026-02-23T19:53:49.036Z", "days_since_release": 95, "maintainer_count": 229, "repository_url": "git+https://github.com/sigmacomputing/slack-mcp-server.git", "license": "MIT", "created_at": "2026-02-23T19:53:48.751Z", "days_since_created": 95, "dep_count": 3, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 95, "github_stars": 0 }, "scanned_at": "2026-05-30T05:48:00Z", "rubric_version": "0.1.0", "error": null }, { "package": "@sleep2agi/agent-network-dashboard", "version": "0.5.6", "verdict": "PASS", "score": 88, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 29 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.5.6", "last_release_at": "2026-05-25T08:59:26.021Z", "days_since_release": 4, "maintainer_count": 1, "repository_url": "git+https://github.com/sleep2agi/agent-network-dashboard.git", "license": "Apache-2.0", "created_at": "2026-05-01T05:09:59.130Z", "days_since_created": 29, "dep_count": 6, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 3 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:48:02Z", "rubric_version": "0.1.0", "error": null }, { "package": "@solvapay/mcp", "version": "0.2.5", "verdict": "WARN", "score": 78, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 35 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "0.2.5", "last_release_at": "2026-05-05T09:04:26.495Z", "days_since_release": 24, "maintainer_count": 1, "repository_url": "git+https://github.com/solvapay/solvapay-sdk.git", "license": null, "created_at": "2026-04-24T22:28:56.139Z", "days_since_created": 35, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 5 }, "scanned_at": "2026-05-30T05:48:04Z", "rubric_version": "0.1.0", "error": null }, { "package": "@storybook/addon-mcp", "version": "0.6.0", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.6.0", "last_release_at": "2026-04-14T11:39:46.764Z", "days_since_release": 45, "maintainer_count": 12, "repository_url": "git+https://github.com/storybookjs/mcp.git", "license": "MIT", "created_at": "2025-08-27T10:40:29.797Z", "days_since_created": 275, "dep_count": 6, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 245 }, "scanned_at": "2026-05-30T05:48:07Z", "rubric_version": "0.1.0", "error": null }, { "package": "@supabase/mcp-server-supabase", "version": "0.8.1", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.8.1", "last_release_at": "2026-05-01T20:50:09.636Z", "days_since_release": 28, "maintainer_count": 15, "repository_url": "git+https://github.com/supabase-community/supabase-mcp.git", "license": "Apache-2.0", "created_at": "2025-03-28T21:14:29.543Z", "days_since_created": 427, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 14, "github_stars": 2712 }, "scanned_at": "2026-05-30T05:48:08Z", "rubric_version": "0.1.0", "error": null }, { "package": "@syntrologie/adapt-mcp", "version": "2.27.0", "verdict": "PASS", "score": 88, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 35 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "2.27.0", "last_release_at": "2026-05-23T00:57:47.749Z", "days_since_release": 7, "maintainer_count": 1, "repository_url": "git+https://github.com/SyntropyForge/amazing-demos.git", "license": "Proprietary", "created_at": "2026-04-24T23:16:53.998Z", "days_since_created": 35, "dep_count": 1, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:48:10Z", "rubric_version": "0.1.0", "error": null }, { "package": "@szc-ft/mcp-szcd-component-helper", "version": "0.10.0", "verdict": "WARN", "score": 63, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 32 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A2_postinstall_script", "deduct": 25, "hard_block": false, "evidence": "postinstall: node scripts/postinstall.js", "rationale": "Lifecycle scripts run arbitrary code at install time on every developer machine. MCPwn-class vulnerabilities used this surface." } ], "metadata": { "latest_version": "0.10.0", "last_release_at": "2026-05-08T01:57:43.536Z", "days_since_release": 22, "maintainer_count": 1, "repository_url": "git+https://github.com/szc-ft/szcd.git", "license": "MIT", "created_at": "2026-04-27T10:48:49.291Z", "days_since_created": 32, "dep_count": 4, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:48:12Z", "rubric_version": "0.1.0", "error": null }, { "package": "@szjc/szjc-mcp-server", "version": "1.0.24", "verdict": "PASS", "score": 81, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "1.0.24", "last_release_at": "2025-12-24T09:19:19.579Z", "days_since_release": 156, "maintainer_count": 1, "repository_url": null, "license": "MIT", "created_at": "2025-10-28T01:55:03.156Z", "days_since_created": 214, "dep_count": 3, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:48:14Z", "rubric_version": "0.1.0", "error": null }, { "package": "@taazkareem/clickup-mcp-server", "version": "0.14.4", "verdict": "PASS", "score": 93, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "12 caret + 0 tilde / 12 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.14.4", "last_release_at": "2026-05-02T20:03:17.387Z", "days_since_release": 27, "maintainer_count": 1, "repository_url": "git+https://github.com/taazkareem/clickup-mcp-server.git", "license": "Proprietary", "created_at": "2025-02-05T07:41:19.736Z", "days_since_created": 478, "dep_count": 12, "unpinned_classification": { "caret": 12, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 41 }, "scanned_at": "2026-05-30T05:48:15Z", "rubric_version": "0.1.0", "error": null }, { "package": "@telnyx/ai-agent-lib", "version": "0.4.5", "verdict": "PASS", "score": 85, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.4.5", "last_release_at": "2026-05-29T14:05:19.223Z", "days_since_release": 0, "maintainer_count": 6, "repository_url": null, "license": "MIT", "created_at": "2025-07-29T02:28:20.702Z", "days_since_created": 305, "dep_count": 4, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:48:17Z", "rubric_version": "0.1.0", "error": null }, { "package": "@telnyx/ai-agent-widget", "version": "0.33.6", "verdict": "PASS", "score": 82, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "9 caret + 0 tilde / 10 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.33.6", "last_release_at": "2026-05-11T19:06:33.619Z", "days_since_release": 18, "maintainer_count": 6, "repository_url": null, "license": "MIT", "created_at": "2025-06-30T22:50:22.844Z", "days_since_created": 333, "dep_count": 10, "unpinned_classification": { "caret": 9, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:48:19Z", "rubric_version": "0.1.0", "error": null }, { "package": "@tencent-ai/agent-server", "version": "0.0.23-beta", "verdict": "WARN", "score": 79, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "193 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.0.23-beta", "last_release_at": "2025-11-17T07:32:55.138Z", "days_since_release": 193, "maintainer_count": 2, "repository_url": null, "license": "MIT", "created_at": "2025-06-09T10:39:10.077Z", "days_since_created": 354, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:48:20Z", "rubric_version": "0.1.0", "error": null }, { "package": "@theia/ai-mcp-server", "version": "1.72.1", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "1.72.1", "last_release_at": "2026-05-29T11:23:08.202Z", "days_since_release": 0, "maintainer_count": 12, "repository_url": "git+https://github.com/eclipse-theia/theia.git", "license": "EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0", "created_at": "2025-09-26T13:41:08.582Z", "days_since_created": 245, "dep_count": 4, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 21540 }, "scanned_at": "2026-05-30T05:48:22Z", "rubric_version": "0.1.0", "error": null }, { "package": "@tokenlens/models", "version": "1.3.0", "verdict": "PASS", "score": 90, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "252 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "1.3.0", "last_release_at": "2025-09-19T11:47:58.125Z", "days_since_release": 252, "maintainer_count": 1, "repository_url": "git+https://github.com/xn1cklas/tokenlens.git", "license": "MIT", "created_at": "2025-09-11T13:19:42.845Z", "days_since_created": 260, "dep_count": 1, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 9, "github_stars": 248 }, "scanned_at": "2026-05-30T05:48:24Z", "rubric_version": "0.1.0", "error": null }, { "package": "@traceloop/instrumentation-anthropic", "version": "0.26.0", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "5 caret + 0 tilde / 7 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.26.0", "last_release_at": "2026-04-16T11:45:46.743Z", "days_since_release": 43, "maintainer_count": 3, "repository_url": "git+https://github.com/traceloop/openllmetry-js.git", "license": "Apache-2.0", "created_at": "2024-04-05T11:44:19.149Z", "days_since_created": 784, "dep_count": 7, "unpinned_classification": { "caret": 5, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 400 }, "scanned_at": "2026-05-30T05:48:26Z", "rubric_version": "0.1.0", "error": null }, { "package": "@transcend-io/mcp-server-admin", "version": "0.3.7", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 37 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.3.7", "last_release_at": "2026-05-14T17:16:49.315Z", "days_since_release": 15, "maintainer_count": 7, "repository_url": "git+https://github.com/transcend-io/tools.git", "license": "Apache-2.0", "created_at": "2026-04-22T20:13:37.204Z", "days_since_created": 37, "dep_count": 4, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 2 }, "scanned_at": "2026-05-30T05:48:27Z", "rubric_version": "0.1.0", "error": null }, { "package": "@transcend-io/mcp-server-assessment", "version": "0.3.8", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 37 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.3.8", "last_release_at": "2026-05-14T17:16:49.159Z", "days_since_release": 15, "maintainer_count": 7, "repository_url": "git+https://github.com/transcend-io/tools.git", "license": "Apache-2.0", "created_at": "2026-04-22T22:36:51.260Z", "days_since_created": 37, "dep_count": 4, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 2 }, "scanned_at": "2026-05-30T05:48:29Z", "rubric_version": "0.1.0", "error": null }, { "package": "@transcend-io/mcp-server-consent", "version": "0.2.10", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 37 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.2.10", "last_release_at": "2026-05-14T17:16:49.180Z", "days_since_release": 15, "maintainer_count": 7, "repository_url": "git+https://github.com/transcend-io/tools.git", "license": "Apache-2.0", "created_at": "2026-04-22T20:07:58.542Z", "days_since_created": 37, "dep_count": 5, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 3 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 2 }, "scanned_at": "2026-05-30T05:48:32Z", "rubric_version": "0.1.0", "error": null }, { "package": "@transcend-io/mcp-server-discovery", "version": "0.3.4", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 37 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.3.4", "last_release_at": "2026-05-14T17:16:49.359Z", "days_since_release": 15, "maintainer_count": 7, "repository_url": "git+https://github.com/transcend-io/tools.git", "license": "Apache-2.0", "created_at": "2026-04-22T20:05:52.442Z", "days_since_created": 37, "dep_count": 3, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 2 }, "scanned_at": "2026-05-30T05:48:39Z", "rubric_version": "0.1.0", "error": null }, { "package": "@transcend-io/mcp-server-dsr", "version": "0.3.8", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 37 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.3.8", "last_release_at": "2026-05-14T17:16:49.140Z", "days_since_release": 15, "maintainer_count": 7, "repository_url": "git+https://github.com/transcend-io/tools.git", "license": "Apache-2.0", "created_at": "2026-04-22T19:57:28.171Z", "days_since_created": 37, "dep_count": 4, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 2 }, "scanned_at": "2026-05-30T05:48:41Z", "rubric_version": "0.1.0", "error": null }, { "package": "@transcend-io/mcp-server-inventory", "version": "0.3.4", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 37 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.3.4", "last_release_at": "2026-05-14T17:16:49.117Z", "days_since_release": 15, "maintainer_count": 7, "repository_url": "git+https://github.com/transcend-io/tools.git", "license": "Apache-2.0", "created_at": "2026-04-22T16:57:39.051Z", "days_since_created": 37, "dep_count": 3, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 2 }, "scanned_at": "2026-05-30T05:48:43Z", "rubric_version": "0.1.0", "error": null }, { "package": "@transcend-io/mcp-server-preferences", "version": "0.3.4", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 37 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.3.4", "last_release_at": "2026-05-14T17:16:53.966Z", "days_since_release": 15, "maintainer_count": 7, "repository_url": "git+https://github.com/transcend-io/tools.git", "license": "Apache-2.0", "created_at": "2026-04-22T19:51:48.199Z", "days_since_created": 37, "dep_count": 3, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 2 }, "scanned_at": "2026-05-30T05:48:45Z", "rubric_version": "0.1.0", "error": null }, { "package": "@transcend-io/mcp-server-workflows", "version": "0.3.4", "verdict": "PASS", "score": 92, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 37 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.3.4", "last_release_at": "2026-05-14T17:16:53.998Z", "days_since_release": 15, "maintainer_count": 7, "repository_url": "git+https://github.com/transcend-io/tools.git", "license": "Apache-2.0", "created_at": "2026-04-22T19:49:02.467Z", "days_since_created": 37, "dep_count": 3, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 2 }, "scanned_at": "2026-05-30T05:48:47Z", "rubric_version": "0.1.0", "error": null }, { "package": "@ui5/mcp-server", "version": "0.2.11", "verdict": "PASS", "score": 93, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "15 caret + 0 tilde / 15 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.2.11", "last_release_at": "2026-04-13T13:04:57.153Z", "days_since_release": 46, "maintainer_count": 1, "repository_url": "git+https://github.com/UI5/mcp-server.git", "license": "Apache-2.0", "created_at": "2025-09-03T07:31:42.298Z", "days_since_created": 268, "dep_count": 15, "unpinned_classification": { "caret": 15, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 1, "github_stars": 87 }, "scanned_at": "2026-05-30T05:48:49Z", "rubric_version": "0.1.0", "error": null }, { "package": "@uniswap/ai-toolkit-claude-mcp-helper", "version": "1.0.24", "verdict": "PASS", "score": 90, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "1.0.24", "last_release_at": "2026-05-05T19:43:10.477Z", "days_since_release": 24, "maintainer_count": 2, "repository_url": "git+https://github.com/Uniswap/ai-toolkit.git", "license": null, "created_at": "2025-11-06T19:30:05.852Z", "days_since_created": 204, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 38 }, "scanned_at": "2026-05-30T05:48:51Z", "rubric_version": "0.1.0", "error": null }, { "package": "@upstash/context7-mcp", "version": "3.0.0", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "8 caret + 0 tilde / 8 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "3.0.0", "last_release_at": "2026-05-22T16:20:07.665Z", "days_since_release": 7, "maintainer_count": 8, "repository_url": "git+https://github.com/upstash/context7.git", "license": "MIT", "created_at": "2025-04-08T11:06:33.196Z", "days_since_created": 416, "dep_count": 8, "unpinned_classification": { "caret": 8, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 3, "github_stars": 56396 }, "scanned_at": "2026-05-30T05:48:53Z", "rubric_version": "0.1.0", "error": null }, { "package": "@vercel/ai", "version": "", "verdict": "ERROR", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": {}, "scanned_at": "2026-05-30T05:48:55Z", "rubric_version": "0.1.0", "error": "npm: HTTP 404" }, { "package": "@vercel/detect-agent", "version": "1.2.3", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "1.2.3", "last_release_at": "2026-04-17T02:30:40.583Z", "days_since_release": 43, "maintainer_count": 4, "repository_url": "git+https://github.com/vercel/vercel.git", "license": "Apache-2.0", "created_at": "2025-08-13T20:41:22.348Z", "days_since_created": 289, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 15572 }, "scanned_at": "2026-05-30T05:48:56Z", "rubric_version": "0.1.0", "error": null }, { "package": "@voltagent/core", "version": "2.7.5", "verdict": "PASS", "score": 93, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "43 caret + 0 tilde / 44 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "2.7.5", "last_release_at": "2026-05-22T23:49:28.835Z", "days_since_release": 7, "maintainer_count": 1, "repository_url": "git+https://github.com/VoltAgent/voltagent.git", "license": "MIT", "created_at": "2025-04-18T15:48:32.751Z", "days_since_created": 406, "dep_count": 44, "unpinned_classification": { "caret": 43, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 9239 }, "scanned_at": "2026-05-30T05:48:58Z", "rubric_version": "0.1.0", "error": null }, { "package": "@winor30/mcp-server-datadog", "version": "1.7.0", "verdict": "PASS", "score": 80, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "222 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "1.7.0", "last_release_at": "2025-10-19T22:34:40.513Z", "days_since_release": 222, "maintainer_count": 1, "repository_url": "git+https://github.com/winor30/mcp-server-datadog.git", "license": null, "created_at": "2025-02-24T09:36:08.579Z", "days_since_created": 459, "dep_count": 4, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 53, "github_stars": 142 }, "scanned_at": "2026-05-30T05:49:00Z", "rubric_version": "0.1.0", "error": null }, { "package": "@winsznx/lend402", "version": "0.1.6", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "0.1.6", "last_release_at": "2026-03-24T14:02:40.517Z", "days_since_release": 66, "maintainer_count": 1, "repository_url": "git+https://github.com/winsznx/lend402sdk.git", "license": "MIT", "created_at": "2026-03-17T19:48:26.914Z", "days_since_created": 73, "dep_count": 4, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 4 }, "osv_vuln_count": 0, "github_days_since_push": 61, "github_stars": 0 }, "scanned_at": "2026-05-30T05:49:02Z", "rubric_version": "0.1.0", "error": null }, { "package": "@z_ai/mcp-server", "version": "0.1.4", "verdict": "PASS", "score": 85, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.1.4", "last_release_at": "2026-04-20T02:30:01.410Z", "days_since_release": 40, "maintainer_count": 5, "repository_url": null, "license": "Apache-2.0", "created_at": "2025-09-07T10:22:25.023Z", "days_since_created": 264, "dep_count": 2, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:49:04Z", "rubric_version": "0.1.0", "error": null }, { "package": "@zereight/mcp-gitlab", "version": "2.1.16", "verdict": "PASS", "score": 93, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "17 caret + 0 tilde / 18 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "2.1.16", "last_release_at": "2026-05-25T15:52:23.876Z", "days_since_release": 4, "maintainer_count": 1, "repository_url": "git+https://github.com/zereight/gitlab-mcp.git", "license": "MIT", "created_at": "2025-02-11T00:53:25.341Z", "days_since_created": 473, "dep_count": 18, "unpinned_classification": { "caret": 17, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 1598 }, "scanned_at": "2026-05-30T05:49:05Z", "rubric_version": "0.1.0", "error": null }, { "package": "add-mcp", "version": "1.10.4", "verdict": "PASS", "score": 93, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.10.4", "last_release_at": "2026-05-23T22:54:55.249Z", "days_since_release": 6, "maintainer_count": 1, "repository_url": "git+https://github.com/neon-solutions/add-mcp.git", "license": "Apache-2.0", "created_at": "2025-06-12T17:25:24.221Z", "days_since_created": 351, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 6, "github_stars": 218 }, "scanned_at": "2026-05-30T05:49:07Z", "rubric_version": "0.1.0", "error": null }, { "package": "agent-install", "version": "0.0.5", "verdict": "WARN", "score": 70, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 29 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.0.5", "last_release_at": "2026-05-01T13:44:50.142Z", "days_since_release": 28, "maintainer_count": 1, "repository_url": null, "license": "MIT", "created_at": "2026-05-01T02:28:47.946Z", "days_since_created": 29, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:49:08Z", "rubric_version": "0.1.0", "error": null }, { "package": "agentdb", "version": "3.0.0-alpha.16", "verdict": "WARN", "score": 68, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." }, { "signal_id": "A2_postinstall_script", "deduct": 25, "hard_block": false, "evidence": "postinstall: node scripts/postinstall.cjs || true", "rationale": "Lifecycle scripts run arbitrary code at install time on every developer machine. MCPwn-class vulnerabilities used this surface." } ], "metadata": { "latest_version": "3.0.0-alpha.16", "last_release_at": "2026-05-30T00:10:21.366Z", "days_since_release": 0, "maintainer_count": 1, "repository_url": "git+https://github.com/ruvnet/agentdb.git", "license": "MIT", "created_at": "2025-10-18T05:22:28.052Z", "days_since_created": 224, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 57 }, "scanned_at": "2026-05-30T05:49:09Z", "rubric_version": "0.1.0", "error": null }, { "package": "ai", "version": "6.0.193", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "6.0.193", "last_release_at": "2026-05-28T23:37:21.208Z", "days_since_release": 1, "maintainer_count": 5, "repository_url": "git+https://github.com/vercel/ai.git", "license": "Apache-2.0", "created_at": "2014-02-21T22:09:35.189Z", "days_since_created": 4480, "dep_count": 4, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 3 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 24546 }, "scanned_at": "2026-05-30T05:49:10Z", "rubric_version": "0.1.0", "error": null }, { "package": "argocd-mcp", "version": "0.7.0", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.7.0", "last_release_at": "2026-05-03T09:55:51.255Z", "days_since_release": 26, "maintainer_count": 5, "repository_url": "git+https://github.com/argoproj-labs/mcp-for-argocd.git", "license": "Apache-2.0", "created_at": "2025-04-23T00:06:11.525Z", "days_since_created": 402, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 26, "github_stars": 474 }, "scanned_at": "2026-05-30T05:49:11Z", "rubric_version": "0.1.0", "error": null }, { "package": "arkaos", "version": "3.77.0", "verdict": "PASS", "score": 88, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 54 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "3.77.0", "last_release_at": "2026-05-28T22:43:22.833Z", "days_since_release": 1, "maintainer_count": 1, "repository_url": "git+https://github.com/andreagroferreira/arka-os.git", "license": "MIT", "created_at": "2026-04-05T09:51:48.497Z", "days_since_created": 54, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 1, "github_stars": 5 }, "scanned_at": "2026-05-30T05:49:13Z", "rubric_version": "0.1.0", "error": null }, { "package": "brainpedia-mcp", "version": "0.4.3", "verdict": "PASS", "score": 88, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 27 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.4.3", "last_release_at": "2026-05-16T11:59:04.919Z", "days_since_release": 13, "maintainer_count": 1, "repository_url": "git+https://github.com/0xYudhishthra/brainpedia.git", "license": "MIT", "created_at": "2026-05-02T17:51:00.520Z", "days_since_created": 27, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 13, "github_stars": 0 }, "scanned_at": "2026-05-30T05:49:15Z", "rubric_version": "0.1.0", "error": null }, { "package": "build-skill", "version": "1.4.0", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "1.4.0", "last_release_at": "2026-02-24T02:09:03.865Z", "days_since_release": 95, "maintainer_count": 1, "repository_url": "git+https://github.com/Flash-Brew-Digital/build-skill.git", "license": "MIT", "created_at": "2026-02-03T12:00:14.893Z", "days_since_created": 115, "dep_count": 4, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 95, "github_stars": 2 }, "scanned_at": "2026-05-30T05:49:16Z", "rubric_version": "0.1.0", "error": null }, { "package": "chrome-devtools-mcp", "version": "1.1.1", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "1.1.1", "last_release_at": "2026-05-27T11:52:16.056Z", "days_since_release": 2, "maintainer_count": 3, "repository_url": "git+https://github.com/ChromeDevTools/chrome-devtools-mcp.git", "license": "Apache-2.0", "created_at": "2025-05-13T11:39:56.873Z", "days_since_created": 381, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 1, "github_stars": 42282 }, "scanned_at": "2026-05-30T05:49:18Z", "rubric_version": "0.1.0", "error": null }, { "package": "claude-chatgpt-mcp", "version": "1.0.1", "verdict": "WARN", "score": 78, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "426 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "1.0.1", "last_release_at": "2025-03-29T18:37:22.267Z", "days_since_release": 426, "maintainer_count": 1, "repository_url": "git+https://github.com/syedazharmbnr1/claude-chatgpt-mcp.git", "license": "MIT", "created_at": "2025-03-29T18:33:47.329Z", "days_since_created": 426, "dep_count": 4, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 190, "github_stars": 783 }, "scanned_at": "2026-05-30T05:49:19Z", "rubric_version": "0.1.0", "error": null }, { "package": "claude-mcp", "version": "2.4.1", "verdict": "PASS", "score": 90, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "271 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "2.4.1", "last_release_at": "2025-08-31T20:28:35.830Z", "days_since_release": 271, "maintainer_count": 1, "repository_url": "git+https://github.com/ebeloded/claude-mcp.git", "license": "MIT", "created_at": "2025-05-28T17:50:52.904Z", "days_since_created": 366, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 274, "github_stars": 13 }, "scanned_at": "2026-05-30T05:49:20Z", "rubric_version": "0.1.0", "error": null }, { "package": "claude-mcp-bridge", "version": "0.6.1", "verdict": "PASS", "score": 88, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 53 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.6.1", "last_release_at": "2026-05-04T03:44:36.501Z", "days_since_release": 26, "maintainer_count": 1, "repository_url": "git+https://github.com/hampsterx/claude-mcp-bridge.git", "license": "MIT", "created_at": "2026-04-07T01:20:53.589Z", "days_since_created": 53, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 26, "github_stars": 2 }, "scanned_at": "2026-05-30T05:49:22Z", "rubric_version": "0.1.0", "error": null }, { "package": "claude-mcp-workflow", "version": "0.1.8", "verdict": "PASS", "score": 93, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.1.8", "last_release_at": "2026-05-15T23:49:33.458Z", "days_since_release": 14, "maintainer_count": 1, "repository_url": "git+https://github.com/AxGord/claude-workflow.git", "license": "MIT", "created_at": "2026-03-01T19:51:27.142Z", "days_since_created": 89, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 10, "github_stars": 5 }, "scanned_at": "2026-05-30T05:49:24Z", "rubric_version": "0.1.0", "error": null }, { "package": "claude-outlook-mcp", "version": "1.0.0", "verdict": "WARN", "score": 78, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "192 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B4_github_last_push_over_365d", "deduct": 12, "hard_block": false, "evidence": "GitHub last push 442 days ago (2025-03-14T03:01:40Z)", "rationale": "Last GitHub push >365d shows the repo behind the npm package is effectively abandoned even if package.json times look recent." } ], "metadata": { "latest_version": "1.0.0", "last_release_at": "2025-11-19T01:51:43.020Z", "days_since_release": 192, "maintainer_count": 1, "repository_url": "git+https://github.com/syedazharmbnr1/claude-outlook-mcp.git", "license": "MIT", "created_at": "2025-11-19T01:51:42.689Z", "days_since_created": 192, "dep_count": 4, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 442, "github_stars": 42 }, "scanned_at": "2026-05-30T05:49:25Z", "rubric_version": "0.1.0", "error": null }, { "package": "codeceptjs", "version": "4.0.3", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "4.0.3", "last_release_at": "2026-05-28T09:00:59.436Z", "days_since_release": 1, "maintainer_count": 4, "repository_url": "git+https://github.com/codeceptjs/CodeceptJS.git", "license": "MIT", "created_at": "2015-11-22T01:34:32.716Z", "days_since_created": 3842, "dep_count": 45, "unpinned_classification": { "caret": 10, "tilde": 0, "star": 0, "latest": 0, "pinned": 35 }, "osv_vuln_count": 0, "github_days_since_push": 1, "github_stars": 4224 }, "scanned_at": "2026-05-30T05:49:26Z", "rubric_version": "0.1.0", "error": null }, { "package": "cohere-ai", "version": "8.0.0", "verdict": "PASS", "score": 90, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "8.0.0", "last_release_at": "2026-04-01T14:15:10.999Z", "days_since_release": 58, "maintainer_count": 5, "repository_url": "git+https://github.com/cohere-ai/cohere-typescript.git", "license": null, "created_at": "2021-01-22T15:54:08.680Z", "days_since_created": 1953, "dep_count": 5, "unpinned_classification": { "caret": 5, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 58, "github_stars": 174 }, "scanned_at": "2026-05-30T05:49:28Z", "rubric_version": "0.1.0", "error": null }, { "package": "create-ai-agent-setup", "version": "1.5.2", "verdict": "PASS", "score": 88, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 31 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "1.5.2", "last_release_at": "2026-05-29T07:08:45.096Z", "days_since_release": 0, "maintainer_count": 1, "repository_url": "git+https://github.com/hoangNguyenAngelhack/ai-agent-setup.git", "license": "MIT", "created_at": "2026-04-28T09:45:36.991Z", "days_since_created": 31, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 1 }, "scanned_at": "2026-05-30T05:49:29Z", "rubric_version": "0.1.0", "error": null }, { "package": "enhanced-postgres-mcp-server", "version": "1.0.1", "verdict": "WARN", "score": 75, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "315 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "1.0.1", "last_release_at": "2025-07-19T03:56:27.230Z", "days_since_release": 315, "maintainer_count": 1, "repository_url": null, "license": "MIT", "created_at": "2025-07-19T01:54:02.610Z", "days_since_created": 315, "dep_count": 2, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:49:31Z", "rubric_version": "0.1.0", "error": null }, { "package": "figma-mcp", "version": "0.1.4", "verdict": "WARN", "score": 53, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "390 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "0.1.4", "last_release_at": "2025-05-04T19:02:45.074Z", "days_since_release": 390, "maintainer_count": 1, "repository_url": null, "license": null, "created_at": "2024-12-05T23:59:38.385Z", "days_since_created": 540, "dep_count": 2, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:49:32Z", "rubric_version": "0.1.0", "error": null }, { "package": "fixparser", "version": "9.4.7", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "9.4.7", "last_release_at": "2026-05-13T22:38:43.626Z", "days_since_release": 16, "maintainer_count": 1, "repository_url": "git+https://gitlab.com/logotype/fixparser.git", "license": "LICENSE.md", "created_at": "2015-09-02T14:33:27.507Z", "days_since_created": 3922, "dep_count": 5, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 4 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:49:33Z", "rubric_version": "0.1.0", "error": null }, { "package": "gbstudio-claude-mcp", "version": "1.0.4", "verdict": "BLOCK", "score": 43, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." }, { "signal_id": "D3_hardcoded_credentials_in_source", "deduct": 50, "hard_block": true, "evidence": "detected: anthropic_api_key", "rationale": "Hard-coded API keys / tokens / secrets in published source is unambiguous fail." } ], "metadata": { "latest_version": "1.0.4", "last_release_at": "2026-01-28T19:31:53.664Z", "days_since_release": 121, "maintainer_count": 1, "repository_url": "git+https://github.com/eoinjordan/gb-studio-agent.git", "license": "MIT", "created_at": "2026-01-25T14:58:20.985Z", "days_since_created": 124, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 108, "github_stars": 10 }, "scanned_at": "2026-05-30T05:49:35Z", "rubric_version": "0.1.0", "error": null }, { "package": "ghost-bridge", "version": "0.7.1", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "0.7.1", "last_release_at": "2026-04-15T07:13:59.743Z", "days_since_release": 44, "maintainer_count": 1, "repository_url": "git+https://github.com//ghost-bridge.git", "license": "MIT", "created_at": "2026-02-06T10:36:46.454Z", "days_since_created": 112, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:49:36Z", "rubric_version": "0.1.0", "error": null }, { "package": "gitnexus", "version": "1.6.5", "verdict": "WARN", "score": 68, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "30 caret + 0 tilde / 35 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." }, { "signal_id": "A2_postinstall_script", "deduct": 25, "hard_block": false, "evidence": "postinstall: node scripts/build-tree-sitter-dart.cjs && node scripts/build-tree-sitter-proto.cjs", "rationale": "Lifecycle scripts run arbitrary code at install time on every developer machine. MCPwn-class vulnerabilities used this surface." } ], "metadata": { "latest_version": "1.6.5", "last_release_at": "2026-05-16T16:32:36.218Z", "days_since_release": 13, "maintainer_count": 1, "repository_url": "git+https://github.com/abhigyanpatwari/GitNexus.git", "license": "PolyForm-Noncommercial-1.0.0", "created_at": "2026-02-06T20:04:54.697Z", "days_since_created": 112, "dep_count": 35, "unpinned_classification": { "caret": 30, "tilde": 0, "star": 0, "latest": 0, "pinned": 5 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 40775 }, "scanned_at": "2026-05-30T05:49:38Z", "rubric_version": "0.1.0", "error": null }, { "package": "great-cto", "version": "2.33.1", "verdict": "WARN", "score": 63, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 41 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A2_postinstall_script", "deduct": 25, "hard_block": false, "evidence": "postinstall: node postinstall.mjs", "rationale": "Lifecycle scripts run arbitrary code at install time on every developer machine. MCPwn-class vulnerabilities used this surface." } ], "metadata": { "latest_version": "2.33.1", "last_release_at": "2026-05-29T14:03:59.238Z", "days_since_release": 0, "maintainer_count": 1, "repository_url": "git+https://github.com/avelikiy/great_cto.git", "license": "MIT", "created_at": "2026-04-18T16:52:15.788Z", "days_since_created": 41, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 33 }, "scanned_at": "2026-05-30T05:49:39Z", "rubric_version": "0.1.0", "error": null }, { "package": "hermes-paperclip-adapter", "version": "0.3.0", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "0.3.0", "last_release_at": "2026-03-31T19:22:01.700Z", "days_since_release": 59, "maintainer_count": 1, "repository_url": "git+https://github.com/NousResearch/hermes-paperclip-adapter.git", "license": "MIT", "created_at": "2026-03-13T00:23:04.109Z", "days_since_created": 78, "dep_count": 2, "unpinned_classification": { "caret": 2, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 56, "github_stars": 1434 }, "scanned_at": "2026-05-30T05:49:40Z", "rubric_version": "0.1.0", "error": null }, { "package": "hlims-mcp", "version": "1.0.0", "verdict": "PASS", "score": 81, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "1.0.0", "last_release_at": "2026-03-11T04:11:01.001Z", "days_since_release": 80, "maintainer_count": 1, "repository_url": null, "license": "MIT", "created_at": "2026-03-11T04:11:00.832Z", "days_since_created": 80, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:49:42Z", "rubric_version": "0.1.0", "error": null }, { "package": "hyper-mcp-shell", "version": "1.1.2", "verdict": "WARN", "score": 53, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "442 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "1.1.2", "last_release_at": "2025-03-13T09:06:03.799Z", "days_since_release": 442, "maintainer_count": 1, "repository_url": null, "license": null, "created_at": "2025-03-09T18:20:47.587Z", "days_since_created": 446, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:49:43Z", "rubric_version": "0.1.0", "error": null }, { "package": "jsonresume-mcp", "version": "0.4.0", "verdict": "WARN", "score": 53, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "451 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "0.4.0", "last_release_at": "2025-03-04T13:03:41.282Z", "days_since_release": 451, "maintainer_count": 1, "repository_url": null, "license": null, "created_at": "2025-03-04T11:39:44.194Z", "days_since_created": 451, "dep_count": 4, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:49:44Z", "rubric_version": "0.1.0", "error": null }, { "package": "kubernetes-mcp-server", "version": "0.0.62", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "0.0.62", "last_release_at": "2026-05-05T12:26:13.691Z", "days_since_release": 24, "maintainer_count": 1, "repository_url": "git+https://github.com/containers/kubernetes-mcp-server.git", "license": "Apache-2.0", "created_at": "2025-02-14T13:57:45.239Z", "days_since_created": 469, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 1, "github_stars": 1636 }, "scanned_at": "2026-05-30T05:49:46Z", "rubric_version": "0.1.0", "error": null }, { "package": "langchain", "version": "1.4.2", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "1.4.2", "last_release_at": "2026-05-21T22:00:44.599Z", "days_since_release": 8, "maintainer_count": 8, "repository_url": "git+ssh://git@github.com/langchain-ai/langchainjs.git", "license": "MIT", "created_at": "2023-02-14T18:06:57.074Z", "days_since_created": 1200, "dep_count": 4, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 17733 }, "scanned_at": "2026-05-30T05:49:47Z", "rubric_version": "0.1.0", "error": null }, { "package": "llamaindex", "version": "0.12.1", "verdict": "PASS", "score": 80, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B5_repo_archived", "deduct": 20, "hard_block": false, "evidence": "GitHub repo is archived", "rationale": "GitHub-archived repo means maintainer has explicitly declared they will not accept further fixes \u2014 installing is consciously accepting an end-of-life dependency." } ], "metadata": { "latest_version": "0.12.1", "last_release_at": "2025-12-02T08:59:24.145Z", "days_since_release": 178, "maintainer_count": 2, "repository_url": "git+https://github.com/run-llama/LlamaIndexTS.git", "license": "MIT", "created_at": "2023-07-21T15:16:07.588Z", "days_since_created": 1043, "dep_count": 8, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 4 }, "osv_vuln_count": 0, "github_days_since_push": 79, "github_stars": 3077 }, "scanned_at": "2026-05-30T05:49:48Z", "rubric_version": "0.1.0", "error": null }, { "package": "locadex", "version": "1.0.180", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "5 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.0.180", "last_release_at": "2026-05-29T04:31:29.023Z", "days_since_release": 1, "maintainer_count": 4, "repository_url": "git+https://github.com/generaltranslation/gt.git", "license": "MIT", "created_at": "2025-05-19T03:34:06.716Z", "days_since_created": 376, "dep_count": 6, "unpinned_classification": { "caret": 5, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 952 }, "scanned_at": "2026-05-30T05:49:50Z", "rubric_version": "0.1.0", "error": null }, { "package": "mayar-mcp", "version": "1.0.9", "verdict": "WARN", "score": 53, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "392 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "1.0.9", "last_release_at": "2025-05-02T07:56:37.856Z", "days_since_release": 392, "maintainer_count": 1, "repository_url": null, "license": null, "created_at": "2025-04-30T06:48:37.832Z", "days_since_created": 394, "dep_count": 4, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:49:51Z", "rubric_version": "0.1.0", "error": null }, { "package": "mcp-proxy", "version": "6.5.1", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "6.5.1", "last_release_at": "2026-05-20T04:35:36.608Z", "days_since_release": 10, "maintainer_count": 1, "repository_url": "git+https://github.com/punkpeye/mcp-proxy.git", "license": "MIT", "created_at": "2024-12-29T20:15:32.244Z", "days_since_created": 516, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 10, "github_stars": 262 }, "scanned_at": "2026-05-30T05:49:52Z", "rubric_version": "0.1.0", "error": null }, { "package": "mcp-remote", "version": "0.1.38", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.1.38", "last_release_at": "2026-02-05T23:21:44.895Z", "days_since_release": 113, "maintainer_count": 2, "repository_url": "git+https://github.com/geelen/mcp-remote.git", "license": "MIT", "created_at": "2025-03-17T03:34:26.182Z", "days_since_created": 439, "dep_count": 4, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 113, "github_stars": 1453 }, "scanned_at": "2026-05-30T05:49:54Z", "rubric_version": "0.1.0", "error": null }, { "package": "mcp-server", "version": "0.0.9", "verdict": "WARN", "score": 66, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "479 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B4_github_last_push_over_365d", "deduct": 12, "hard_block": false, "evidence": "GitHub last push 477 days ago (2025-02-06T22:05:31Z)", "rationale": "Last GitHub push >365d shows the repo behind the npm package is effectively abandoned even if package.json times look recent." } ], "metadata": { "latest_version": "0.0.9", "last_release_at": "2025-02-04T09:50:03.915Z", "days_since_release": 479, "maintainer_count": 1, "repository_url": "git+https://github.com/sandy-mount/mcp-server.git", "license": "MIT", "created_at": "2025-02-03T09:12:41.998Z", "days_since_created": 480, "dep_count": 3, "unpinned_classification": { "caret": 3, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 477, "github_stars": 4 }, "scanned_at": "2026-05-30T05:49:55Z", "rubric_version": "0.1.0", "error": null }, { "package": "mcp-server-kubernetes", "version": "3.8.0", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "3.8.0", "last_release_at": "2026-05-23T19:55:45.761Z", "days_since_release": 6, "maintainer_count": 1, "repository_url": "git+https://github.com/Flux159/mcp-server-kubernetes.git", "license": "MIT", "created_at": "2024-12-10T04:26:13.979Z", "days_since_created": 536, "dep_count": 12, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 12 }, "osv_vuln_count": 0, "github_days_since_push": 2, "github_stars": 1399 }, "scanned_at": "2026-05-30T05:49:56Z", "rubric_version": "0.1.0", "error": null }, { "package": "mcp-starter", "version": "0.1.0", "verdict": "WARN", "score": 53, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1_last_release_over_365d", "deduct": 18, "hard_block": false, "evidence": "494 days since last release", "rationale": "Abandoned packages don't get CVE patches; agents calling them inherit unfixed risk." }, { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." }, { "signal_id": "A6_no_license", "deduct": 10, "hard_block": false, "evidence": "license=None", "rationale": "Unlicensed code is legally fragile to depend on; can also be a signal of low-care maintenance." } ], "metadata": { "latest_version": "0.1.0", "last_release_at": "2025-01-20T20:31:14.630Z", "days_since_release": 494, "maintainer_count": 1, "repository_url": null, "license": null, "created_at": "2025-01-20T20:31:14.426Z", "days_since_created": 494, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:49:58Z", "rubric_version": "0.1.0", "error": null }, { "package": "mcp-use", "version": "1.28.0", "verdict": "PASS", "score": 97, "self_disclosure": false, "triggered_signals": [ { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "10 caret + 0 tilde / 12 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "1.28.0", "last_release_at": "2026-05-14T14:28:14.373Z", "days_since_release": 15, "maintainer_count": 4, "repository_url": "git+https://github.com/mcp-use/mcp-use.git", "license": "MIT", "created_at": "2025-04-20T09:08:39.373Z", "days_since_created": 404, "dep_count": 12, "unpinned_classification": { "caret": 10, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 10012 }, "scanned_at": "2026-05-30T05:49:59Z", "rubric_version": "0.1.0", "error": null }, { "package": "n8n-nodes-ai-agent-langfuse", "version": "0.1.27", "verdict": "PASS", "score": 93, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "9 caret + 0 tilde / 9 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "0.1.27", "last_release_at": "2025-12-30T01:42:45.642Z", "days_since_release": 151, "maintainer_count": 1, "repository_url": "git+https://github.com/rorubyy/n8n-nodes-ai-agent-langfuse.git", "license": "MIT", "created_at": "2025-09-10T09:15:56.277Z", "days_since_created": 261, "dep_count": 9, "unpinned_classification": { "caret": 9, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 151, "github_stars": 29 }, "scanned_at": "2026-05-30T05:50:00Z", "rubric_version": "0.1.0", "error": null }, { "package": "neoagent", "version": "2.4.0", "verdict": "PASS", "score": 93, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "39 caret + 0 tilde / 39 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "2.4.0", "last_release_at": "2026-05-19T21:23:12.822Z", "days_since_release": 10, "maintainer_count": 1, "repository_url": "git+https://github.com/NeoLabs-Systems/NeoAgent.git", "license": "MIT", "created_at": "2026-03-09T21:02:02.783Z", "days_since_created": 81, "dep_count": 39, "unpinned_classification": { "caret": 39, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 1, "github_stars": 10 }, "scanned_at": "2026-05-30T05:50:02Z", "rubric_version": "0.1.0", "error": null }, { "package": "neon-init", "version": "0.14.0", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "0.14.0", "last_release_at": "2026-03-16T18:10:28.751Z", "days_since_release": 74, "maintainer_count": 1, "repository_url": "git+https://github.com/neondatabase/neon-pkgs.git", "license": "Apache-2.0", "created_at": "2025-10-06T11:10:58.010Z", "days_since_created": 235, "dep_count": 5, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 1 }, "osv_vuln_count": 0, "github_days_since_push": 2, "github_stars": 49 }, "scanned_at": "2026-05-30T05:50:04Z", "rubric_version": "0.1.0", "error": null }, { "package": "nexo-brain", "version": "7.27.3", "verdict": "WARN", "score": 71, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A2_postinstall_script", "deduct": 25, "hard_block": false, "evidence": "postinstall: node bin/postinstall.js", "rationale": "Lifecycle scripts run arbitrary code at install time on every developer machine. MCPwn-class vulnerabilities used this surface." } ], "metadata": { "latest_version": "7.27.3", "last_release_at": "2026-05-25T15:56:09.863Z", "days_since_release": 4, "maintainer_count": 1, "repository_url": "git+https://github.com/wazionapps/nexo.git", "license": "AGPL-3.0", "created_at": "2026-03-23T00:14:37.069Z", "days_since_created": 68, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 22 }, "scanned_at": "2026-05-30T05:50:06Z", "rubric_version": "0.1.0", "error": null }, { "package": "nsauditor-ai-agent-skill", "version": "0.1.58", "verdict": "PASS", "score": 88, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 48 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." } ], "metadata": { "latest_version": "0.1.58", "last_release_at": "2026-05-30T05:27:17.164Z", "days_since_release": 0, "maintainer_count": 1, "repository_url": "git+https://github.com/nsasoft/nsauditor-ai-agent-skill.git", "license": "MIT", "created_at": "2026-04-11T23:50:33.541Z", "days_since_created": 48, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 2 }, "scanned_at": "2026-05-30T05:50:08Z", "rubric_version": "0.1.0", "error": null }, { "package": "nx-mcp", "version": "0.25.0", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "0.25.0", "last_release_at": "2026-04-30T11:38:28.620Z", "days_since_release": 29, "maintainer_count": 6, "repository_url": "git+https://github.com/nrwl/nx-console.git", "license": "MIT", "created_at": "2025-02-25T11:07:42.955Z", "days_since_created": 458, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 1407 }, "scanned_at": "2026-05-30T05:50:09Z", "rubric_version": "0.1.0", "error": null }, { "package": "obsidian-mcp-server", "version": "3.2.2", "verdict": "PASS", "score": 93, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "A1_unpinned_deps", "deduct": 3, "hard_block": false, "evidence": "6 caret + 0 tilde / 6 deps (>70%)", "rationale": "Heavy use of caret/tilde ranges (>70% of deps) inflates supply-chain surface. Calibrated down from v0.1 \u2014 caret is npm convention, so this fires only on heavy-use packages with >5 deps." } ], "metadata": { "latest_version": "3.2.2", "last_release_at": "2026-05-23T12:27:46.521Z", "days_since_release": 6, "maintainer_count": 1, "repository_url": "git+https://github.com/cyanheads/obsidian-mcp-server.git", "license": "Apache-2.0", "created_at": "2025-01-24T09:20:06.508Z", "days_since_created": 490, "dep_count": 6, "unpinned_classification": { "caret": 6, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 5, "github_stars": 564 }, "scanned_at": "2026-05-30T05:50:10Z", "rubric_version": "0.1.0", "error": null }, { "package": "oceanbus", "version": "0.14.2", "verdict": "WARN", "score": 73, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." }, { "signal_id": "B3_repo_under_60d_old", "deduct": 8, "hard_block": false, "evidence": "package created 29 days ago", "rationale": "Very new repos have no track record; combined with high install count is unusual and warrants caution. Suppressed for self-disclosed packages (we eat our own dog food)." }, { "signal_id": "A5_repo_url_missing_or_mismatched", "deduct": 15, "hard_block": false, "evidence": "no repository URL in package.json", "rationale": "If the package.json repository URL is absent or 404s, source-to-binary verification is impossible." } ], "metadata": { "latest_version": "0.14.2", "last_release_at": "2026-05-25T03:17:06.288Z", "days_since_release": 5, "maintainer_count": 1, "repository_url": null, "license": "MIT", "created_at": "2026-05-01T04:51:51.913Z", "days_since_created": 29, "dep_count": 4, "unpinned_classification": { "caret": 4, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0 }, "scanned_at": "2026-05-30T05:50:12Z", "rubric_version": "0.1.0", "error": null }, { "package": "oci-generativeaiagent", "version": "2.132.0", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "2.132.0", "last_release_at": "2026-05-19T14:31:00.996Z", "days_since_release": 10, "maintainer_count": 1, "repository_url": "git+https://github.com/oracle/oci-typescript-sdk.git", "license": "(UPL-1.0 OR Apache-2.0)", "created_at": "2024-09-30T16:40:37.253Z", "days_since_created": 606, "dep_count": 2, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 3, "github_stars": 97 }, "scanned_at": "2026-05-30T05:50:13Z", "rubric_version": "0.1.0", "error": null }, { "package": "oci-generativeaiagentruntime", "version": "2.132.0", "verdict": "PASS", "score": 96, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B2_single_maintainer", "deduct": 4, "hard_block": false, "evidence": "single maintainer (bus factor 1)", "rationale": "Bus-factor of 1. If the single maintainer disappears or their npm account is compromised, no second pair of eyes." } ], "metadata": { "latest_version": "2.132.0", "last_release_at": "2026-05-19T14:27:42.408Z", "days_since_release": 10, "maintainer_count": 1, "repository_url": "git+https://github.com/oracle/oci-typescript-sdk.git", "license": "(UPL-1.0 OR Apache-2.0)", "created_at": "2024-09-30T16:44:18.477Z", "days_since_created": 606, "dep_count": 2, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 2 }, "osv_vuln_count": 0, "github_days_since_push": 3, "github_stars": 97 }, "scanned_at": "2026-05-30T05:50:15Z", "rubric_version": "0.1.0", "error": null }, { "package": "ollama", "version": "0.6.3", "verdict": "PASS", "score": 94, "self_disclosure": false, "triggered_signals": [ { "signal_id": "B1b_last_release_180_to_365d", "deduct": 6, "hard_block": false, "evidence": "197 days since last release", "rationale": "Slowing release cadence \u2014 partial signal of declining maintenance." } ], "metadata": { "latest_version": "0.6.3", "last_release_at": "2025-11-13T23:03:00.496Z", "days_since_release": 197, "maintainer_count": 6, "repository_url": "git+https://github.com/ollama/ollama-js.git", "license": "MIT", "created_at": "2023-09-14T00:12:03.296Z", "days_since_created": 989, "dep_count": 1, "unpinned_classification": { "caret": 1, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 100, "github_stars": 4235 }, "scanned_at": "2026-05-30T05:50:16Z", "rubric_version": "0.1.0", "error": null }, { "package": "openai", "version": "6.39.1", "verdict": "PASS", "score": 100, "self_disclosure": false, "triggered_signals": [], "metadata": { "latest_version": "6.39.1", "last_release_at": "2026-05-28T17:46:52.775Z", "days_since_release": 1, "maintainer_count": 17, "repository_url": "git+https://github.com/openai/openai-node.git", "license": "Apache-2.0", "created_at": "2020-07-09T13:31:41.309Z", "days_since_created": 2150, "dep_count": 0, "unpinned_classification": { "caret": 0, "tilde": 0, "star": 0, "latest": 0, "pinned": 0 }, "osv_vuln_count": 0, "github_days_since_push": 0, "github_stars": 10940 }, "scanned_at": "2026-05-30T05:50:17Z", "rubric_version": "0.1.0", "error": null } ]