
Npmguard
@AyoubTadlaoui
Npmguard について
Pre-install risk gate for npm packages. Stops AI coding agents from running malicious or typosquatted packages before lifecycle scripts run.
基本情報
設定
以下の設定を使って、このサーバーを MCP 対応クライアントに追加してください。
{
"mcpServers": {
"npmguard": {
"command": "/usr/local/bin/npmguard-mcp"
}
}
}ツール
ツールは検出されませんでした
ツールは README から自動的に抽出されます。メンテナーは ## Tools という見出しの下に記載することで、このタブに反映できます。
概要
What is Npmguard?
Npmguard is a native pre-install risk gate for npm packages, packaged as an MCP tool for AI coding agents. It pulls data from the npm registry, OSV.dev (including the MAL-* malware namespace), and GitHub repo signals in parallel, computes a composite risk score, and returns an ok / warn / block verdict before lifecycle scripts can execute. The server is a single static Rust binary distributed via GitHub Releases (not npm) so the gate itself cannot be compromised by the npm supply chain it protects against.
How to use Npmguard?
Add Npmguard to your MCP host (Claude Code, Cursor, Windsurf) by adding a JSON entry with the path to the npmguard-mcp binary. It exposes one tool: install_package(name, version?) which returns { level, score, signals, recommendation }. AI agents can use the structured tool response to decide whether to proceed with an installation. The binary is installed by downloading a prebuilt release from GitHub Releases for your platform.
Key features of Npmguard
- Pre-install risk scoring with composite score and verdict
- Eight risk signals: LifecycleScripts, PackageAge, MaintainerChurn, SoleMaintainer, RepoHealth, Typosquat, KnownCve, Deprecated
- Integrates OSV.dev malware namespace (MAL-*) for known malicious packages
- Single static Rust binary distributed outside npm for supply chain security
- MCP tool returns structured signals for AI agent decision-making
- Prebuilt binaries for macOS, Linux, and Windows
Use cases of Npmguard
- AI coding agents evaluating npm packages before permitting installation
- Blocking typosquat attacks and known malware before lifecycle scripts execute
- Manual risk assessment via
npmguard install <package>(supports CLI)
FAQ from Npmguard
What does Npmguard do that npm audit or Snyk don't?
Npmguard is a pre-install risk gate that computes a composite score and verdict before lifecycle scripts execute, pulling from OSV.dev including the malware namespace. It is distributed as a Rust binary outside npm to avoid supply chain compromise, serving as an additional layer rather than a replacement for existing tools.
How do I install Npmguard?
Download the prebuilt binary for your platform (macOS x86_64/arm64, Linux x86_64/arm64, Windows x86_64) from the GitHub Releases page. The server is not distributed via npm.
What are the current limitations of Npmguard?
Npmguard is not yet a real npm install wrapper, does not sandbox lifecycle scripts, and does not verify npm provenance. It does not replace npm audit, Snyk, Socket, or Dependabot.
How does the MCP tool work in practice?
The tool install_package returns a structured response containing risk level, score, signals, and a recommendation. When an AI coding agent calls it, the recommendation is fed back as a tool response, allowing the model to stop and ask even if the user said to install without checking.
「その他」の他のコンテンツ
IDA Pro MCP
mrexodiaAI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

Sequential Thinking
modelcontextprotocolModel Context Protocol Servers
Awesome Mlops
visengerA curated list of references for MLOps
Mcp
browsermcpBrowser MCP is a Model Context Provider (MCP) server that allows AI applications to control your browser
Inbox Zero AI MCP
elie222The world's best AI personal assistant for email. Open source app to help you reach inbox zero fast.
コメント