Metadata-Version: 2.4
Name: weiseer-mcp-doctor
Version: 0.1.0
Summary: Install-time supply-chain trust gate for MCP servers. PASS/WARN/BLOCK with cited evidence. Open-source rubric.
Author-email: weiseer <wei@weiseer.com>
License: Apache-2.0
Project-URL: Homepage, https://github.com/weiseer/mcp-doctor
Project-URL: Source, https://github.com/weiseer/mcp-doctor
Project-URL: Issues, https://github.com/weiseer/mcp-doctor/issues
Project-URL: Live API, https://api.weiseer.com
Project-URL: Open Rubric, https://github.com/weiseer/mcp-doctor/blob/main/rubric.yaml
Keywords: mcp,model-context-protocol,security,supply-chain,trust,ai-agent,weiseer
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.9
Description-Content-Type: text/markdown
Requires-Dist: pyyaml>=6.0

# weiseer-mcp-doctor

> Install-time supply-chain trust gate for MCP servers. PASS / WARN / BLOCK + cited evidence.

[![npm version](https://img.shields.io/npm/v/@weiseer/mcp-doctor)](https://www.npmjs.com/package/@weiseer/mcp-doctor) [![GitHub](https://img.shields.io/github/stars/weiseer/mcp-doctor?style=social)](https://github.com/weiseer/mcp-doctor)

Python port of `@weiseer/mcp-doctor`. Same open-source rubric, same scoring. For users who prefer `pip install` and Python-based CI integrations.

## Install

```bash
pip install weiseer-mcp-doctor
```

## Use

```bash
# Single package
mcp-doctor @some/package

# Multiple
mcp-doctor zod @modelcontextprotocol/sdk @anthropic-ai/sdk

# JSON output (for CI)
mcp-doctor --json @some/package
```

## What gets scored

20+ signals across 4 categories:

- **Supply chain hygiene** — postinstall scripts, unpinned deps, missing provenance, repo URL integrity
- **Maintainer health** — release cadence, archive status, bus factor, GitHub last-push age
- **Known vulnerabilities** — direct + transitive CVE via OSV.dev
- **MCP-specific risk** — typosquat against official servers, hardcoded credentials, capability misdeclaration

Full open-source rubric: [github.com/weiseer/mcp-doctor/blob/main/rubric.yaml](https://github.com/weiseer/mcp-doctor/blob/main/rubric.yaml)

## Exit codes

- `0` — all PASS or WARN
- `1` — at least one BLOCK
- `2` — invalid usage

Useful in CI:

```yaml
- run: pip install weiseer-mcp-doctor
- run: mcp-doctor @x/server-foo @y/server-bar
```

## Why this exists

The MCP ecosystem has had several recent supply-chain incidents (MCPwn CVE-2026-33032, Atlassian MCP RCE, Shai-Hulud worm stealing auth tokens from 172 npm packages). mcp-doctor is the developer-friendly install gate, with the methodology open for audit.

A 200-package validation run is live at https://api.weiseer.com/dataset/scan_200.json. 3 BLOCK findings including 1 hardcoded LLM API key.

## License

Apache-2.0. Rubric: open-source, fork-friendly.

## Author

- wei@weiseer.com
- [github.com/weiseer](https://github.com/weiseer)
