MCP.so
登录

Npmguard

@AyoubTadlaoui

关于 Npmguard

Pre-install risk gate for npm packages. Stops AI coding agents from running malicious or typosquatted packages before lifecycle scripts run.

基本信息

分类

其他

传输方式

stdio

发布者

AyoubTadlaoui

提交者

Atlas Kaisar

配置

使用下面的配置,将此服务器添加到你的 MCP 客户端。

{
  "mcpServers": {
    "npmguard": {
      "command": "/usr/local/bin/npmguard-mcp"
    }
  }
}

工具

未检测到工具

工具是从 README 中自动提取的。维护者可以在 ## Tools 标题下列出工具,即可填充这部分内容。

概览

What is Npmguard?

Npmguard is a native pre-install risk gate for npm packages, packaged as an MCP tool for AI coding agents. It pulls data from the npm registry, OSV.dev (including the MAL-* malware namespace), and GitHub repo signals in parallel, computes a composite risk score, and returns an ok / warn / block verdict before lifecycle scripts can execute. The server is a single static Rust binary distributed via GitHub Releases (not npm) so the gate itself cannot be compromised by the npm supply chain it protects against.

How to use Npmguard?

Add Npmguard to your MCP host (Claude Code, Cursor, Windsurf) by adding a JSON entry with the path to the npmguard-mcp binary. It exposes one tool: install_package(name, version?) which returns { level, score, signals, recommendation }. AI agents can use the structured tool response to decide whether to proceed with an installation. The binary is installed by downloading a prebuilt release from GitHub Releases for your platform.

Key features of Npmguard

  • Pre-install risk scoring with composite score and verdict
  • Eight risk signals: LifecycleScripts, PackageAge, MaintainerChurn, SoleMaintainer, RepoHealth, Typosquat, KnownCve, Deprecated
  • Integrates OSV.dev malware namespace (MAL-*) for known malicious packages
  • Single static Rust binary distributed outside npm for supply chain security
  • MCP tool returns structured signals for AI agent decision-making
  • Prebuilt binaries for macOS, Linux, and Windows

Use cases of Npmguard

  • AI coding agents evaluating npm packages before permitting installation
  • Blocking typosquat attacks and known malware before lifecycle scripts execute
  • Manual risk assessment via npmguard install <package> (supports CLI)

FAQ from Npmguard

What does Npmguard do that npm audit or Snyk don't?

Npmguard is a pre-install risk gate that computes a composite score and verdict before lifecycle scripts execute, pulling from OSV.dev including the malware namespace. It is distributed as a Rust binary outside npm to avoid supply chain compromise, serving as an additional layer rather than a replacement for existing tools.

How do I install Npmguard?

Download the prebuilt binary for your platform (macOS x86_64/arm64, Linux x86_64/arm64, Windows x86_64) from the GitHub Releases page. The server is not distributed via npm.

What are the current limitations of Npmguard?

Npmguard is not yet a real npm install wrapper, does not sandbox lifecycle scripts, and does not verify npm provenance. It does not replace npm audit, Snyk, Socket, or Dependabot.

How does the MCP tool work in practice?

The tool install_package returns a structured response containing risk level, score, signals, and a recommendation. When an AI coding agent calls it, the recommendation is fed back as a tool response, allowing the model to stop and ask even if the user said to install without checking.

评论

其他 分类下的更多 MCP 服务器