How to read this: HVTrust (0–100) weighs supply-chain signals (provenance, OSSF Scorecard, signed commits, open license) alongside real-world adoption. Grade B reflects the trust score band: A ≥ 80, B ≥ 65, C ≥ 50, D < 50. Full methodology →
Signals refreshed2026-06-04 20:15 UTC·Repo last pushed today
Rank Trend
2026-05-252026-06-04
Activity & Reach
Stars
86.7k
Forks
10.9k
Last Push
2026-06-04
today
Commits (4 wk)
13
Downloads (7d)
—
HN mentions (30d)
7
Open Issues
491
Rank Change
▼8
was #88
Analysis
HVTrust Dimensions
65.0 / 100 · 100.0% confidence
Safety / IntegrityOSSF, provenance, signatures
11.8 / 25
Identity / ProvenanceListing and build link
10.8 / 18
TransparencyLicense and public checks
13.9 / 17
MaintenanceFreshness and commits
16.6 / 20
AdoptionStars and downloads
11.9 / 20
Activity Inputs
87.7 / 100
StarsRepository reach
29.6 / 30
FreshnessLast push recency
25.0 / 25
ActivityRecent commits
14.3 / 25
CommunityFork signal
18.8 / 20
Supply Chain Trust
Package Provenance
None
No package attestations found
OSSF Scorecard
6.4 / 10
via deps.dev · OpenSSF
Signed Commits
75%
of last 100 commits verified
Binary-Artifacts10
Branch-Protection6
CI-Tests9
CII-Best-Practices0
Code-Review10
Contributors10
Dangerous-Workflow10
Dependency-Update-Tool10
Fuzzing0
License9
Maintained10
Packaging10
Pinned-Dependencies2
SAST0
Security-Policy10
Signed-Releases-1
Token-Permissions0
Vulnerabilities0
Is Model Context Protocol / MCP safe?
Model Context Protocol / MCP has a mixed signal profile. Some trust indicators are present, others are missing. Whether it is safe for your use case depends on which gaps matter to you — review the breakdown below before adopting in production.
Does Model Context Protocol / MCP publish package provenance?
No published build provenance is currently detected for Model Context Protocol / MCP. This is common for open-source projects but means consumers cannot independently verify that the package on the registry matches the GitHub source.
Does Model Context Protocol / MCP have an OpenSSF Scorecard?
Model Context Protocol / MCP has an OpenSSF Scorecard score of 6.4/10. The Scorecard checks for branch protection, signed releases, dependency updates, fuzzing, code review, and other supply-chain hygiene items. See the full check breakdown on this page.
Is Model Context Protocol / MCP actively maintained?
Actively maintained. The repository was pushed to within the last 1 day(s).
What license does Model Context Protocol / MCP use?
Model Context Protocol / MCP ships under NOASSERTION. A declared, OSI-approved license is one of the transparency signals HVTrust scores.
Are Model Context Protocol / MCP's commits signed?
75% of the last 100 commits to Model Context Protocol / MCP are verified-signed (GPG, SSH, S/MIME, or GitHub's signing flow). Signed commits help confirm that code was authored by who the commit claims.
Not a safety endorsement. HVTracker describes what public signals show, not whether a project is safe for your use case. Run your own security review before adopting in production.
HVTrust currently scores supply-chain signals. We're adding runtime trust next: what an agent actually does when it runs — what it can reach, which tools it carries, what external services it depends on. Track progress on the roadmap →
MCP support
Tool / plugin surface
External service deps
Package provenance drift
Maintain Model Context Protocol / MCP?
HVTrust scores Model Context Protocol / MCP from public signals only — we never contact maintainers first. If a signal is wrong, stale, or missing (provenance you publish, a Scorecard you run, signed releases), tell us and we'll review it. Corrections are public and tracked on GitHub.
Data sources
GitHub REST API (repo, commits, stars, forks, license) · OSSF Scorecard via deps.dev · Algolia HN Search API
Each agent's signals refresh once daily across 6 staggered batches. Methodology v3.1 · Raw JSON
