Trust Status
✓ Listed in Forge index +10/10
— Publisher identity verified +0/25
→ Publisher: run `forge publish` from the package repo to claim ownership
— Ed25519 publish signature +0/10
→ Included automatically when the publisher runs `forge publish`
— Domain verification +0/5
→ Publisher: host /.well-known/forge.json on the package homepage with { "publisher": "<github-login>" }
✓ Static analysis · clean +20/20
— npm provenance (Sigstore) +0/5
→ Publish from GitHub Actions with the --provenance flag
Copy AI prompt → Paste into Claude Code, Cursor, or any AI assistant to fix all gaps
Status Community-indexed
Publisher Unverified
Signature Unsigned
Domain —
Provenance —
Dependencies 60 resolved · 2 with advisories
Tool surface 6 tools · none privileged
Security scan ⚠ Warnings (0) v1.0.0 · 20d ago
DEP @modelcontextprotocol/sdk@1.18.2 GHSA-345p-7cg4-v4c7, GHSA-8r9q-7v3j-jr4g, GHSA-w48q-cv73-mx4w (transitive)
DEP mcp-handler@1.0.2 GHSA-w2fm-25vw-vh7f (transitive)
Evals None
Indexed Jun 13, 2026
Verification confirms publisher identity (repo ownership), not code safety. The security scan covers known CVEs and suspicious install scripts — it cannot prove the absence of malicious code.