io.github.piiiico/proof-of-commitment

MCPcommunity
v1.31.1io.github.piiiicoUnknownUpdated 20d agonpmGitHub

Supply chain risk scoring for npm, PyPI, Cargo, and Go. 9 tools. Behavioral signals.

Stars lie. Behavioral signals don't. An MCP server and web tool that scores npm packages, PyPI packages, Rust crates, Go modules, and GitHub repos on behavioral commitment — signals that are harder to fake than stars, READMEs, or download counts. flags none of these. They're not vulnerabilities — they're attack-surface concentration. One stolen npm token, one phished maintainer, and a single push…

Automatically indexed from public sources. Not yet verified by the developer on Forge.Claim this listing →
20d agoLast update
Package
Authorio.github.piiiico
LicenseUnknown
Version1.31.1
Sourcemcp-registry
Trust Status
A
95/100Trusted
Listed in Forge index+10/10
Publisher identity verified+0/25
Publisher: run `forge publish` from the package repo to claim ownership
Ed25519 publish signature+0/10
Included automatically when the publisher runs `forge publish`
Domain verification+0/5
Publisher: host /.well-known/forge.json on the package homepage with { "publisher": "<github-login>" }
CVE scan · clean+30/30
Static analysis · clean+20/20
npm provenance (Sigstore)+5/5
Paste into Claude Code, Cursor, or any AI assistant to fix all gaps
StatusCommunity-indexed
PublisherUnverified
SignatureUnsigned
Domain
Provenance✓ Sigstore-verified · 77f585d
Dependencies0 resolved · none vulnerable
Tool surface
Security scan✓ Cleanv1.31.1 · 20d ago
EvalsNone
IndexedJun 13, 2026

Verification confirms publisher identity (repo ownership), not code safety. The security scan covers known CVEs and suspicious install scripts — it cannot prove the absence of malicious code.

About

Stars lie. Behavioral signals don't. An MCP server and web tool that scores npm packages, PyPI packages, Rust crates, Go modules, and GitHub repos on behavioral commitment — signals that are harder to fake than stars, READMEs, or download counts. flags none of these. They're not vulnerabilities — they're attack-surface concentration. One stolen npm token, one phished maintainer, and a single push reaches the whole ecosystem (axios, March 30 2026 — happened). 26 of the 91 npm packages with >10M…

Keywords
mcp