security
Security
Every MCP risk signal in one place — CVEs, tool safety, drift, naming, licenses. Heuristic: review signals, not verdicts.
45 CRITICAL
3646 HIGH
531 MEDIUM
1205 LOW
11 NONE
Supply chain: npm packages that run install-lifecycle scripts (code on install) or have been deprecated upstream, alongside ecosystem provenance coverage — review signals inferred from registry metadata, not verdicts.
- with provenance 178
27% of 660 npm + PyPI servers ship a build-provenance attestation.
- @aashari/mcp-server-atlassian-confluence install hooks no provenance
- @aashari/mcp-server-atlassian-jira install hooks no provenance
- @aerostack/gateway install hooks no provenance
- @ainative/cody-cli install hooks no provenance
- @askexenow/exe-os install hooks no provenance
- @azure/mcp install hooks no provenance
- @bangdao-ai/acw-tools install hooks no provenance
- @bike4mind/cli install hooks no provenance
- @claude-flow/cli install hooks no provenance
- @exaudeus/workrail install hooks
- @henkey/postgres-mcp-server install hooks no provenance
- @iola_adm/iola-cli install hooks
- @ironbee-ai/cli install hooks no provenance
- @ironbee-ai/devtools install hooks no provenance
- @jelou/cli install hooks no provenance
- @mapbox/mcp-server install hooks no provenance
- @nano-step/nano-brain install hooks no provenance
- @oxis-dev/tessra install hooks no provenance
- @pixelbyte-software/pixcode install hooks no provenance
- @proggarapsody/bitbottle install hooks
- @scp3500/openvl install hooks no provenance
- @tacticlaunch/mcp-linear install hooks no provenance
- @tocodex/cli install hooks no provenance
- @trymesh/cli install hooks no provenance
- @waniwani/sdk install hooks