proof-of-commitment
@piiiico
About proof-of-commitment
Supply chain security risk scorer for npm, PyPI, Cargo, and Go — behavioral signals that can't be faked
Basic information
Config
Add this server to your MCP-compatible client using the configuration below.
{
"mcpServers": {
"proof-of-commitment": {
"command": "npx",
"args": [
"-y",
"@smithery/cli",
"install",
"proof-of-commitment",
"--client",
"claude"
]
}
}
}Tools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is proof-of-commitment?
proof-of-commitment is an MCP server and web tool that scores npm packages, PyPI packages, Rust crates, Go modules, and GitHub repos on behavioral commitment — signals like publisher concentration, age, and provenance that are harder to fake than stars or download counts. It helps developers and AI agents identify supply chain risk, especially single-publisher packages with large reach.
How to use proof-of-commitment?
Add the server to any MCP-compatible AI tool using the URL https://poc-backend.amdal-dev.workers.dev/mcp via a streamable-http transport. Use the CLI with npx proof-of-commitment (zero‑arg auto‑detect in a project directory, or explicit package names and --file flags). For CI, use --fail-on=critical or the dedicated GitHub Action piiiico/commit-action@v1. Install IDE hooks with poc hook to block critical packages before install.
Key features of proof-of-commitment
- Detects publish‑access concentration risk (single NPM publisher >10M weekly downloads)
- Supports npm, PyPI, Rust crates, Go modules, and GitHub repos
- CLI with zero‑arg auto‑detect and lock‑file scanning (package‑lock, yarn.lock, go.sum, etc.)
- CI integration with
--fail-on=criticaland GitHub Action (PR comments, step summary) - SARIF output for GitHub Code Scanning (Security tab)
- IDE hooks for Cursor, Claude Code, and Windsurf to block critical packages
- Monitoring plan with weekly/daily alerts and package score degradation detection
Use cases of proof-of-commitment
- Auditing a project’s
package.jsonor lockfile for supply chain risk before merging - Adding a CI gate that blocks pull requests when critical packages are detected
- Preventing AI coding assistants from installing high‑risk dependencies via IDE hooks
- Monitoring third‑party packages for publisher changes or score drops over time
FAQ from proof-of-commitment
How does proof-of-commitment differ from npm audit?
npm audit flags known vulnerabilities, but not publish‑access concentration. proof-of-commitment surfaces attack‑surface risk — e.g., a single publisher with >10M weekly downloads — which npm audit does not detect.
Do I need to log in to use proof-of-commitment?
No login is required for the MCP server or CLI. A free API key is available to unlock monitoring (package watch, alerts) and higher rate limits.
What ecosystems does proof-of-commitment support?
It supports npm (Node.js), PyPI (Python), Rust crates, Go modules, and GitHub repositories.
What does a CRITICAL score mean?
A CRITICAL score indicates a package with a sole npm publisher and more than 10 million weekly downloads — a profile matching the axios token theft attack in March 2026.
How is data fetched in the MCP server?
The server uses a streamable‑HTTP backend (https://poc-backend.amdal-dev.workers.dev/mcp) that queries the same API used by the CLI and web demo. No local data storage is required.
More Other MCP servers
Blender
ahujasidOpen-source MCP to use Blender with any LLM
ICSS
chokcoco不止于 CSS
Mobile Mcp
mobile-nextModel Context Protocol Server for Mobile Automation and Scraping (iOS, Android, Emulators, Simulators and Real Devices)
IDA Pro MCP
mrexodiaAI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.
Website
FunnyWolfAdversary simulation and Red teaming platform with AI
Comments