An independent, evidence-based trust comparison of Composio and MCP TypeScript SDK, two Protocols & Tool Integration projects in the HVTracker registry. Scores come from public, checkable signals — supply-chain provenance, OSSF Scorecard, maintenance, and adoption — not popularity.
| Signal | Composiocomposiohq/composio | MCP TypeScript SDKmodelcontextprotocol/typescript-sdk |
|---|---|---|
| HVTrust score | 87.5 | 84.8 |
| Evidence grade | A | A |
| Overall rank | #42 | #44 |
| Rank in Protocols & Tool Integration | #2 | #3 |
| GitHub stars | 29.1k | 12.8k |
| Last updated | today | today |
| Build provenance | No | No |
| OSSF Scorecard | 5.8 / 10 | 6.3 / 10 |
| License | MIT | NOASSERTION |
| Downloads | 103k/wk | — |
| Trust dimensions (points earned) | ||
| Safety / integrity / 25 | 11.6 | 12.9 |
| Identity & provenance / 20 | 10.8 | 10.8 |
| Transparency / 17 | 13.4 | 13.9 |
| Maintenance / 20 | 20.0 | 19.1 |
| Adoption / 20 | 17.4 | 9.9 |
How to read this: HVTrust (0–100) weighs supply-chain signals (provenance, OSSF Scorecard, signed commits, open license) alongside real-world adoption, scaled by an evidence-confidence factor. Grade bands: A ≥ 80, B ≥ 65, C ≥ 50, D < 50. Signals refresh daily. Full methodology v4.0 →