PkgRadar

Package evidence

@mcp-use/[email protected]

Large Javascript Payload: 3037664 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
40,106Mainstream · −50% score
Versions published
500Established · −30% score
First published
Oct 2025
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@mcp-use/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@mcp-use/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes3,903,418
Previous version7.0.0-canary.20
Published2026-05-27T18:04:54.635Z
SHA-2560fb794780dcda2d2154ec616e9363b683adb75c7cc6200a72222b6f5b590adea

Why flagged

What the scanner saw

Large Javascript Payload: 3037664 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
6Score
7.0.0-canary.21Version
Status history (1 event)
  1. newavailable · risk review · score 6 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/dist/web/assets/index-53RzvJuE.js3037664 bytes10
mediumLarge Javascript Payloadpackage/dist/cdn/inspector.js5619566 bytes10

Manifest

Package metadata

Scripts34
  • buildnpm run build:client && npm run build:client-exports && npm run build:server && npm run build:cli && npm run build:cdn
  • build:cdnvite build --config vite.cdn.config.ts
  • build:clitsup src/server/cli.ts --format esm --out-dir dist/
  • build:clientvite build
  • build:client-exportstsup --config tsup.client.ts && tsc -p tsconfig.client.json --emitDeclarationOnly --declaration
  • build:servertsup src/server/*.ts --format esm --out-dir dist/server && tsc -p tsconfig.server.json --emitDeclarationOnly --declaration
  • devconcurrently "npm run dev:client" "npm run dev:server"
  • dev:clientrimraf node_modules/.vite && vite --port 3000
  • dev:serverVITE_DEV=true tsx watch src/server/server.ts
  • dev:standalonetsx watch src/server/server.ts
  • install:npmnpm install
  • install:pnpmpnpm install
  • install:yarnyarn install
  • linteslint .
  • lint:fixeslint . --fix
  • lint:npmnpm run lint:fix
  • lint:pnpmpnpm lint:fix
  • lint:yarnyarn eslint . --fix
  • previewvite preview
  • startnode dist/server/server.js
  • test:e2eplaywright test
  • test:e2e:builtinnode tests/e2e/scripts/run-test-matrix.mjs builtin
  • test:e2e:codegenplaywright codegen http://localhost:3000/inspector
  • test:e2e:debugplaywright test --debug
  • test:e2e:mixnode tests/e2e/scripts/run-test-matrix.mjs mix
  • test:e2e:prodnode tests/e2e/scripts/run-test-matrix.mjs prod
  • test:e2e:prod:uiTEST_MODE=production playwright test --ui
  • test:e2e:pythonnode tests/e2e/scripts/run-python-e2e.mjs
  • test:e2e:reportplaywright show-report
  • test:e2e:tunnelnode tests/e2e/scripts/run-tunnel-test.mjs
  • …and 4 more.
Dependencies33
  • @hono/node-server^1.19.13
  • @modelcontextprotocol/ext-apps^1.0.1
  • @modelcontextprotocol/sdk^1.26.0
  • @paper-design/shaders-react^0.0.72
  • @radix-ui/react-alert-dialog^1.1.15
  • @radix-ui/react-avatar^1.1.11
  • @radix-ui/react-checkbox^1.3.3
  • @radix-ui/react-dialog^1.1.15
  • @radix-ui/react-dropdown-menu^2.1.16
  • @radix-ui/react-label^2.1.8
  • @radix-ui/react-popover^1.1.15
  • @radix-ui/react-select^2.2.6
  • @radix-ui/react-switch^1.2.6
  • @radix-ui/react-tooltip^1.2.8
  • @scarf/scarf^1.4.0
  • @tailwindcss/vite^4.2.0
  • @types/react-syntax-highlighter^15.5.13
  • class-variance-authority^0.7.1
  • clsx^2.1.1
  • cmdk^1.1.1
  • hono^4.12.12
  • lucide-react^0.562.0
  • markdown-to-jsx^9.7.4
  • mcp-use1.29.0-canary.21
  • motion^12.34.2
  • next-themes^0.4.6
  • open^11.0.0
  • posthog-node^5.24.17
  • react-resizable-panels^4.6.4
  • react-syntax-highlighter^16.1.0
  • …and 3 more.