Enterprise DNA
M MCP Servers Developer low

piiiico/proof-of-commitment

by Various

Supply chain risk scorer for npm and PyPI — single-maintainer CRITICAL flags before attacks happen

P

MCP

piiiico/proof-of-commitment

Added 1 June 2026

#audit #cargo #cli #dependencies #github-action #go #golang #mcp

Overview

Proof of Commitment is a supply chain risk scorer for npm and PyPI packages. It flags single-maintainer packages marked as CRITICAL before attacks occur, using TypeScript to analyze maintainer risk.

Best for

Best for
Developers and security teams vetting dependencies in npm or PyPI projects

Use cases

  • Audit npm dependencies for single-maintainer critical packages
  • Scan PyPI packages for supply chain risk before deployment
  • Integrate risk scoring into CI/CD pipelines

How to use

Install

npx -y @smithery/cli install proof-of-commitment --client claude

Tools exposed

  • packages-file
  • fail-on-critical
  • max-packages
  • include-dev-dependencies
  • comment-on-pr
  • api-key
  • api-url
  • audit_dependencies
  • audit_github_repo
  • audit_dependency_tree
  • lookup_npm_package
  • lookup_pypi_package
  • lookup_cargo_crate
  • lookup_go_module
  • lookup_github_repo
  • lookup_business
  • lookup_business_by_org
  • query_commitment
  • get_api_key

Tested with

Claude Desktop, Claude Code, Cursor, Windsurf, VS Code

Notes

Proof of Commitment is a supply chain risk scorer for npm and PyPI packages. It flags single-maintainer packages marked as CRITICAL before attacks occur, using TypeScript to analyze maintainer risk.

5 stars on GitHub. Last updated 2026-05-29. Licensed MIT.

Use cases

  • Audit npm dependencies for single-maintainer critical packages
  • Scan PyPI packages for supply chain risk before deployment
  • Integrate risk scoring into CI/CD pipelines

Pros

  • Proactive risk detection for single-maintainer critical packages
  • Supports both npm and PyPI ecosystems
  • Lightweight TypeScript implementation

Cons

  • Limited to single-maintainer risk, not broader supply chain threats
  • Only 5 GitHub stars, indicating early-stage adoption
  • No clear update frequency or maintenance guarantees

Indexed from awesome-mcp-servers-punkpeye and enriched against its public facts.

Pros

  • Proactive risk detection for single-maintainer critical packages
  • Supports both npm and PyPI ecosystems
  • Lightweight TypeScript implementation

Cons

  • Limited to single-maintainer risk, not broader supply chain threats
  • Only 5 GitHub stars, indicating early-stage adoption
  • No clear update frequency or maintenance guarantees
Free 27-page guide

Get the free Developer’s Field Guide

A 27-page field guide to the AI coding workflow with Claude. Claude Code, MCP servers, the prompt patterns that work, and what to delegate. Free.

Enter your work email. We send it straight over, plus a few short notes worth knowing. Unsubscribe any time.

No spam. Unsubscribe any time.

Running a business, not writing the code? See the MCP servers picked for operators, and get your first one wired up with us.

Operator picks