MCP package manager with trust scoring. Search, install, and audit MCP servers.
The MCP package manager that guards your AI's tools at runtime -- search, install, audit, and inspect every MCP server from your terminal. The risky part of an MCP server doesn't show up at install -- it shows up while your agent is running: prompt injection hidden in a tool's output, a server that quietly rewrites its tools after you approved them, a sampling request that smuggles instructions…
Verification confirms publisher identity (repo ownership), not code safety. The security scan covers known CVEs and suspicious install scripts — it cannot prove the absence of malicious code.
The MCP package manager that guards your AI's tools at runtime -- search, install, audit, and inspect every MCP server from your terminal. The risky part of an MCP server doesn't show up at install -- it shows up while your agent is running: prompt injection hidden in a tool's output, a server that quietly rewrites its tools after you approved them, a sampling request that smuggles instructions into your model. mcpm scores every install for hardcoded secrets, prompt injection, and typosquatting…