Independent safety audit of the MCP server ecosystem · by PulseFeed
Thousands of MCP servers ship with almost no vetting — and a bad one can run arbitrary code on your machine or exfiltrate data. Before you connect your AI agent to an MCP server, check it. We audit maintenance, install-script risk, provenance, abandonment and liveness.
npm servers get deep signals; remote servers get liveness + HTTPS only (can't fully verify a black-box remote).
install_script = arbitrary code on npm i; abandoned = stale; unreachable = dead remote.
| Server | Type | npm dl/wk | Trust |
|---|---|---|---|
| ai | npm | 15,141,589 | 100 |
| @ai-sdk/mcp | npm | 1,288,697 | 100 |
| @storybook/mcp | npm | 1,519,768 | 100 |
| @storybook/addon-mcp | npm | 1,257,803 | 100 |
| @assistant-ui/react | npm | 1,154,251 | 100 |
| @copilotkit/aimock | npm | 590,679 | 100 |
| fallow | npm | 442,064 | 100 |
| add-mcp | npm | 180,234 | 100 |
| eve | npm | 229,367 | 100 |
| @modelcontextprotocol/server | npm | 137,213 | 100 |
| figma-developer-mcp | npm | 75,862 | 100 |
| n8n-mcp | npm | 87,920 | 100 |
| @raishin/vanguard-frontier-agentic | npm | 150,574 | 100 |
| @sap-ux/fiori-docs-embeddings | npm | 107,263 | 100 |
| @notionhq/notion-mcp-server | npm | 125,682 | 100 |
GET /mcp/verify?package=<npm-name> — free. Returns a safety verdict, score and flags (install scripts, abandonment, provenance, license, repo).Methodology: PulseFeed discovers servers from the official MCP registry, audits each via npm metadata (install scripts, provenance, license, downloads, freshness) and liveness for remotes. Same independent-audit approach as our x402 trust oracle. Machine-readable: /mcp.json. Updated daily.