Model Context Protocol / MCP

Model Context Protocol Servers

Protocols & Tool Integration TypeScript Grade C Listed NOASSERTION
Compare → Suggest correction
Listing state
Listed
HVTrust
62.4/100 · Grade C
Evidence coverage
Grade B · 3/5 signals
Last push
2026-07-10 · 1d ago
Recent change
Activity

Is Model Context Protocol / MCP safe? Model Context Protocol / MCP scores 62.4/100 (Grade C), ranked #141 of 328 tracked open-source AI agent projects, on evidence coverage B (3 of 5 independent signal types). The public evidence: no package-provenance attestation found; OSSF Scorecard rates its supply-chain practices 6.8/10; 78% of recent commits are signed; last pushed 2026-07-10. Every point is earned from checkable signals — never paid placement. How scoring works →

Quick Trust Read

Verdict
Promising trust profile, but some evidence still deserves review.
62.4/100 · Grade C
Strongest Signal
Transparency
14.3/17
Weakest Signal
Safety / Integrity
12.4/25
What Would Improve It
Publish package provenance or release attestations for stronger supply-chain evidence.
Recent Changes
2026-07-04
Activity Score Changed
Activity score up 5pts (85 → 90)
2026-06-29
Rank Moved
Rank rose 12 spots (#158 → #146)
2026-06-24
Rank Moved
Rank dropped 11 spots (#145 → #156)
Maintainer Checklist
Raise Scorecard signals Current OSSF Scorecard is 6.8/10. Tighten the weakest checks to improve public safety evidence.
Publish provenance Add package provenance or release attestations so users can verify where shipped artifacts came from.
91.0
Activity Score · out of 100
62.4
HVTrust Score · out of 100
#141
Global Rank · of 328
#14

How to read this: HVTrust (0–100) weighs supply-chain signals (provenance, OSSF Scorecard, signed commits, open license) alongside real-world adoption. Grade C reflects the trust score band: A ≥ 80, B ≥ 65, C ≥ 50, D < 50. Evidence coverage B is separate — it grades how many independent signal types back the score (3 of 5), so a high score on thin evidence stays visible. Full methodology →

Signals refreshed 2026-07-11 04:00 UTC · Repo last pushed yesterday

Rank Trend

2026-07-05 2026-07-11

Activity & Reach

Stars
88.3k
Forks
11.2k
Last Push
2026-07-10
yesterday
Commits (4 wk)
25?
Downloads (7d)
HN mentions (30d)
2
Open Issues
379
Rank Change
▲1
was #142

Analysis

HVTrust Dimensions

62.4 / 100 · 100.0% confidence
Safety / IntegrityOSSF, provenance, signatures
12.4 / 25
Identity / ProvenanceListing and build link
10.8 / 18
TransparencyLicense and public checks
14.3 / 17
MaintenanceFreshness and commits
14.8 / 20
AdoptionStars and downloads
11.9 / 20

Activity Inputs

91.0 / 100
StarsRepository reach
29.7 / 30
FreshnessLast push recency
24.9 / 25
ActivityRecent commits
17.6 / 25
CommunityFork signal
18.8 / 20

Supply Chain Trust

Package Provenance
None
No package attestations found
OSSF Scorecard
6.8 / 10
OpenSSF Scorecard · scanned Jul 10, 2026
Signed Commits
78%
of last 100 commits verified
Binary-Artifacts 10
Branch-Protection 6
CI-Tests 10
CII-Best-Practices 0
Code-Review 9
Contributors 10
Dangerous-Workflow 10
Dependency-Update-Tool 10
Fuzzing 0
License 9
Maintained 10
Packaging 10
Pinned-Dependencies 2
SAST 5
Security-Policy 10
Signed-Releases -1
Token-Permissions 0
Vulnerabilities 3

Is Model Context Protocol / MCP safe?

Model Context Protocol / MCP has a mixed signal profile. Some trust indicators are present, others are missing. Whether it is safe for your use case depends on which gaps matter to you — review the breakdown below before adopting in production.
Does Model Context Protocol / MCP publish package provenance?
No published build provenance is currently detected for Model Context Protocol / MCP. This is common for open-source projects but means consumers cannot independently verify that the package on the registry matches the GitHub source.
Does Model Context Protocol / MCP have an OpenSSF Scorecard?
Model Context Protocol / MCP has an OpenSSF Scorecard score of 6.8/10. The Scorecard checks for branch protection, signed releases, dependency updates, fuzzing, code review, and other supply-chain hygiene items. See the full check breakdown on this page.
Is Model Context Protocol / MCP actively maintained?
Actively maintained. The repository was pushed to within the last 1 day(s).
What license does Model Context Protocol / MCP use?
Model Context Protocol / MCP ships under NOASSERTION. A declared, OSI-approved license is one of the transparency signals HVTrust scores.
Are Model Context Protocol / MCP's commits signed?
78% of the last 100 commits to Model Context Protocol / MCP are verified-signed (GPG, SSH, S/MIME, or GitHub's signing flow). Signed commits help confirm that code was authored by who the commit claims.

Not a safety endorsement. HVTracker describes what public signals show, not whether a project is safe for your use case. Run your own security review before adopting in production.

Ranked neighbours in Protocols & Tool Integration

AI agent surface

Scored in HVTrust

These runtime-trust fields — detected from public repo docs and manifests — contribute a bounded adjustment to this project's HVTrust score alongside supply-chain evidence. The exact values each field can add or subtract are documented in the methodology → Compare this surface across every listed agent in the capability matrix →

MCP Server Support
high confidence
Implemented
Model Context Protocol / MCP appears to expose MCP server capabilities.
Detailed evidence is not shown in the public view.
External Service Dependencies
high confidence
5 detected
Public provider/service dependencies detected.
Credential signal: No explicit API-key/config marker detected.
Tool / Plugin Surface
high confidence
Declared
Declared plugin/integration surface detected.
  • browser
  • code
  • database
  • filesystem
  • search
Detailed evidence is not shown in the public view.
Package Provenance Drift
N/A
No package source configured
Detailed evidence is not shown in the public view.
  • MCP signal live
  • External deps live
  • Tool / plugin surface live
  • Package provenance drift live
How this surface has changed

Detected changes to Model Context Protocol / MCP's runtime surface and supply-chain posture, from daily public-signal snapshots. A change here means our detectors see something different — a genuinely changed capability, or better evidence of an existing one.

2026-06-05
Tool Surface Changed
Detected tool/plugin surface changed: none → declared
2026-06-05
Provider Added
Runtime surface grew — new detected provider dependencies: Amazon Bedrock, Anthropic, Brave Search, Postgres, Redis
2026-06-05
Mcp Status Changed
Detected MCP server support changed: none → implemented

Maintain Model Context Protocol / MCP?

HVTrust scores Model Context Protocol / MCP from public signals only — we never contact maintainers first. If a signal is wrong, stale, or missing (provenance you publish, a Scorecard you run, signed releases), tell us and we'll review it. Corrections are public and tracked on GitHub.

Reputation Timeline

HVTrust 2Grade 2Score 2Rank 2Listed 1Scorecard 1MCP 1Surface 1Surface 1
2026-07-04
Activity Score Changed
Activity score up 5pts (85 → 90)
2026-06-29
Rank Moved
Rank rose 12 spots (#158 → #146)
2026-06-24
Rank Moved
Rank dropped 11 spots (#145 → #156)
2026-06-05
Tool Surface Changed
Detected tool/plugin surface changed: none → declared
2026-06-05
Provider Added
Runtime surface grew — new detected provider dependencies: Amazon Bedrock, Anthropic, Brave Search, Postgres, Redis
2026-06-05
Mcp Status Changed
Detected MCP server support changed: none → implemented
2026-06-04
Grade Changed
Trust grade C → B
2026-05-29
HVTrust Changed
HVTrust up 9.9pts (54.5 → 64.4)
2026-05-28
Activity Score Changed
Activity score up 13pts (73 → 86)
2026-05-27
Scorecard Added
OSSF Scorecard: 6.4/10
2026-05-27
Grade Changed
Trust grade D → C
2026-05-27
HVTrust Changed
HVTrust up 26.3pts (27.5 → 53.8)
2026-05-25
Newly Listed
First tracked at rank #26

Embed Badge Badge guide for maintainers →

HVTrust 62.4 Grade C
Markdown:
[![HVTrust](https://hvtracker.net/badge/model-context-protocol-mcp.svg)](https://hvtracker.net/agents/model-context-protocol-mcp)
HTML:
<a href="https://hvtracker.net/agents/model-context-protocol-mcp"><img src="https://hvtracker.net/badge/model-context-protocol-mcp.svg" alt="HVTrust"></a>

Other agents in Protocols & Tool Integration

Data sources
GitHub REST API (repo, commits, stars, forks, license) · OpenSSF Scorecard CLI · Algolia HN Search API
Each agent's signals refresh once daily across 6 staggered batches. Methodology v4.2 · Raw JSON