Evidence-backed MCP server risk signal catalog and local CLI.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for magic.wu from gravatar.com magic.wu

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: X-One-AI
  • Tags mcp , security , ai , catalog , risk
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

mcp-risk-index

Languages: English | 中文

An open risk index for common MCP servers, permissions, commands, and maintenance signals.

Status

v0.3.0 - local catalog validation, strict review checks, and rendering CLI.

Purpose

Convert mcp-audit rule experience into a reusable public data asset without unsupported claims.

First Production Surface

Versioned data catalog with evidence-backed entries and a deterministic local CLI.

After PyPI publication:

python3 -m pip install xone-mcp-risk-index
mcp-risk-index init --output mcp-risk-index.catalog.yml
mcp-risk-index validate --catalog mcp-risk-index.catalog.yml --strict
mcp-risk-index render --catalog mcp-risk-index.catalog.yml --format markdown --output mcp-risk-index.md
mcp-risk-index render --catalog mcp-risk-index.catalog.yml --format json --output mcp-risk-index.json

After Homebrew tap update:

brew install x-one-ai/tap/mcp-risk-index
mcp-risk-index --version

From a source checkout, you can also validate the bundled catalog:

mcp-risk-index validate --catalog data/catalog.yml --strict
mcp-risk-index render --catalog data/catalog.yml --format markdown --output mcp-risk-index.md
mcp-risk-index render --catalog data/catalog.yml --format json --output mcp-risk-index.json

For local development:

python3 -m pip install -e '.[dev]'
python3 -m pytest tests -q

Catalog Contract

The bundled catalog uses mcp-risk-index.catalog.v1. Each entry records identity, package, launch command, permissions, maintenance facts, review-level risk signals, evidence, and limitations.

Review levels are prompts for human inspection:

  • info: useful context
  • review: inspect before adoption
  • high-review: require explicit owner approval

They are not safety scores.

Strict validation requires production review governance fields such as maintenance.source_checked_at and a GitHub repository source.

Required Evidence

  • server identity
  • permission profile
  • command/package signals
  • maintenance signals
  • evidence links

Non-Goals

  • no subjective ranking without evidence
  • no broad repo health clone
  • no security claims without criteria
  • no absolute safe/unsafe labels

OPT Operating Model

This project references the shared One Person Team workflow through ops/opt-overlay.md. Project-specific constraints live under ops/constraints, and evolvable local skills live under ops/skills.

Blocked Inputs

Inputs that require user or real-world data are recorded in ../x-one-skipped-inputs.md and should not block foundation work.

Docs

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for magic.wu from gravatar.com magic.wu

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: X-One-AI
  • Tags mcp , security , ai , catalog , risk
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.3.1

This version

0.3.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

xone_mcp_risk_index-0.3.0.tar.gz (24.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

xone_mcp_risk_index-0.3.0-py3-none-any.whl (9.1 kB view details)

Uploaded Python 3

File details

Details for the file xone_mcp_risk_index-0.3.0.tar.gz.

File metadata

  • Download URL: xone_mcp_risk_index-0.3.0.tar.gz
  • Upload date:
  • Size: 24.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for xone_mcp_risk_index-0.3.0.tar.gz
Algorithm Hash digest
SHA256 a9e3834cfd9d108efa25d6b69512306d56a89184110fc54eca4413e9f10ad809
MD5 f1bf8136cdffbec721600aae0757ed3b
BLAKE2b-256 2e4cd976ab13a2cbf7a043f0a5868eb3662e4bab365830d23882f7b637502224

See more details on using hashes here.

Provenance

The following attestation bundles were made for xone_mcp_risk_index-0.3.0.tar.gz:

Publisher: publish.yml on X-One-AI/mcp-risk-index

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file xone_mcp_risk_index-0.3.0-py3-none-any.whl.

File metadata

File hashes

Hashes for xone_mcp_risk_index-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 9e6a105209a42a2e71a1bedebc267b091b62570686dd06937d4a0e06f7553f00
MD5 b4f756b40ce3c5f84762c125733e4b8f
BLAKE2b-256 754fabc8f678adbed1ae5937b67d105af381bc3fd877c735f22c72340e634fa3

See more details on using hashes here.

Provenance

The following attestation bundles were made for xone_mcp_risk_index-0.3.0-py3-none-any.whl:

Publisher: publish.yml on X-One-AI/mcp-risk-index

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page