proof-of-commitment
@piiiico
关于 proof-of-commitment
Supply chain security risk scorer for npm, PyPI, Cargo, and Go — behavioral signals that can't be faked
基本信息
配置
使用下面的配置,将此服务器添加到你的 MCP 客户端。
{
"mcpServers": {
"proof-of-commitment": {
"command": "npx",
"args": [
"-y",
"@smithery/cli",
"install",
"proof-of-commitment",
"--client",
"claude"
]
}
}
}工具
未检测到工具
工具是从 README 中自动提取的。维护者可以在 ## Tools 标题下列出工具,即可填充这部分内容。
概览
What is proof-of-commitment?
proof-of-commitment is an MCP server and web tool that scores npm packages, PyPI packages, Rust crates, Go modules, and GitHub repos on behavioral commitment — signals like publisher concentration, age, and provenance that are harder to fake than stars or download counts. It helps developers and AI agents identify supply chain risk, especially single-publisher packages with large reach.
How to use proof-of-commitment?
Add the server to any MCP-compatible AI tool using the URL https://poc-backend.amdal-dev.workers.dev/mcp via a streamable-http transport. Use the CLI with npx proof-of-commitment (zero‑arg auto‑detect in a project directory, or explicit package names and --file flags). For CI, use --fail-on=critical or the dedicated GitHub Action piiiico/commit-action@v1. Install IDE hooks with poc hook to block critical packages before install.
Key features of proof-of-commitment
- Detects publish‑access concentration risk (single NPM publisher >10M weekly downloads)
- Supports npm, PyPI, Rust crates, Go modules, and GitHub repos
- CLI with zero‑arg auto‑detect and lock‑file scanning (package‑lock, yarn.lock, go.sum, etc.)
- CI integration with
--fail-on=criticaland GitHub Action (PR comments, step summary) - SARIF output for GitHub Code Scanning (Security tab)
- IDE hooks for Cursor, Claude Code, and Windsurf to block critical packages
- Monitoring plan with weekly/daily alerts and package score degradation detection
Use cases of proof-of-commitment
- Auditing a project’s
package.jsonor lockfile for supply chain risk before merging - Adding a CI gate that blocks pull requests when critical packages are detected
- Preventing AI coding assistants from installing high‑risk dependencies via IDE hooks
- Monitoring third‑party packages for publisher changes or score drops over time
FAQ from proof-of-commitment
How does proof-of-commitment differ from npm audit?
npm audit flags known vulnerabilities, but not publish‑access concentration. proof-of-commitment surfaces attack‑surface risk — e.g., a single publisher with >10M weekly downloads — which npm audit does not detect.
Do I need to log in to use proof-of-commitment?
No login is required for the MCP server or CLI. A free API key is available to unlock monitoring (package watch, alerts) and higher rate limits.
What ecosystems does proof-of-commitment support?
It supports npm (Node.js), PyPI (Python), Rust crates, Go modules, and GitHub repositories.
What does a CRITICAL score mean?
A CRITICAL score indicates a package with a sole npm publisher and more than 10 million weekly downloads — a profile matching the axios token theft attack in March 2026.
How is data fetched in the MCP server?
The server uses a streamable‑HTTP backend (https://poc-backend.amdal-dev.workers.dev/mcp) that queries the same API used by the CLI and web demo. No local data storage is required.
其他 分类下的更多 MCP 服务器
Mcp
browsermcpBrowser MCP is a Model Context Provider (MCP) server that allows AI applications to control your browser
ghidraMCP
LaurieWiredMCP Server for Ghidra
Inbox Zero AI
elie222The world's best AI personal assistant for email. Open source app to help you reach inbox zero fast.
Website
FunnyWolfAdversary simulation and Red teaming platform with AI
Codelf
unbugA search tool helps dev to solve the naming things problem.
评论