Package evidence

@mcpjam/[email protected]

Credential file access: matched ".azure\\"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 3,717Niche · −30% score
Versions published: 210Mature · −50% score
First published: May 2025
Publisher: mcpjam-founders

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@mcpjam/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@mcpjam/[email protected]"],"fail_on":"review"}'

Publishermcpjam-founders

Artifact bytes15,102,069

Previous version2.9.3

Published2026-06-03T18:28:45.853Z

SHA-256578359b8b8338d751c1f6581b1b0c11bb0f499585c0ff7953de02a99e8ce7314

Why flagged

What the scanner saw

Credential file access: matched ".azure\\"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

9d agoLast checked

reviewRisk

2Score

2.9.4Version

Status history (1 event)

new → available9d ago · risk review · score 2 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/dist/server/index.js	matched ".azure\\"	5
low	Large Javascript Payload	package/dist/client/assets/index-B8Xca334.js	6069945 bytes	0

Manifest

Package metadata

Scripts46

buildnpm run clean && npm run build:sdk && npm run bundle:sandbox-proxies && npm run build:lib && npm run build:client && npm run build:server
build:clientvite build --config client/vite.config.ts
build:client:cleanrm -rf node_modules/.vite && FORCE_OPTIMIZE=true vite build --config client/vite.config.ts
build:libtsup --config lib/tsup.config.ts
build:sdknpm run sdk:build
build:servertsup --config server/tsup.config.ts
bundle:chatgptnpm --prefix ../sdk run bundle:chatgpt-runtime
bundle:mcp-appsnpm --prefix ../sdk run bundle:mcp-apps-runtime
bundle:sandbox-proxiesnode scripts/bundle-sandbox-proxy-html.js
cleanrm -rf dist out .vite client/dist
clean:allrm -rf dist out .vite client/dist node_modules sdk/node_modules
deps:cinpm --prefix .. ci --legacy-peer-deps --cache .npm-cache
devrun-script-os
dev:clientvite --config client/vite.config.ts
dev:client:cleanrm -rf node_modules/.vite && FORCE_OPTIMIZE=true vite --config client/vite.config.ts
dev:convexconvex dev
dev:defaultconcurrently "npm run dev:server" "npm run dev:client"
dev:hostedcross-env VITE_MCPJAM_HOSTED_MODE=true WEB_ALLOWED_ORIGINS=http://localhost:5173,http://127.0.0.1:5173 npm run dev
dev:servercross-env ENVIRONMENT=dev NODE_ENV=development tsx watch --tsconfig server/tsconfig.json --include 'evals-cli/src/**/*.ts' --exclude 'evals-cli/dist/**' --exclude 'evals-cli/node_modules/**' server/index.ts
dev:win32concurrently --raw "npm run dev:server" "npm run dev:client"
dev:worktreenode scripts/dev-worktree.mjs
docker:builddocker build -t mcpjam/mcp-inspector:local -f Dockerfile ..
docker:devnpm run docker:stop; npm run docker:build && npm run docker:start
docker:startdocker run -d -p 127.0.0.1:6274:6274 --name mcp-inspector --pull=never mcpjam/mcp-inspector:local
docker:stopdocker stop mcp-inspector && docker rm mcp-inspector || true
electron:develectron-forge start
electron:installkillall 'MCPJam Inspector' 2>/dev/null || true && rm -rf '/Applications/MCPJam Inspector.app' && cp -r 'out/MCPJam Inspector-darwin-arm64/MCPJam Inspector.app' /Applications/ && open '/Applications/MCPJam Inspector.app'
electron:makenpm run icons:win && npm run icons:mac && electron-forge make
electron:packageelectron-forge package
electron:publishelectron-forge publish
…and 16 more.

Dependencies83

@ai-sdk/anthropic^3.0.36
@ai-sdk/azure^3.0.26
@ai-sdk/deepseek^2.0.17
@ai-sdk/google^3.0.20
@ai-sdk/mistral^3.0.18
@ai-sdk/openai^3.0.25
@ai-sdk/react^3.0.156
@ai-sdk/xai^3.0.46
@axiomhq/js^1.4.0
@cfworker/json-schema^4.1.1
@codemirror/commands^6.10.3
@codemirror/lang-json^6.0.2
@codemirror/language^6.12.3
@codemirror/state^6.6.0
@codemirror/view^6.43.0
@convex-dev/auth^0.0.88
@convex-dev/workos^0.0.1
@dagrejs/dagre^3.0.0
@dnd-kit/core^6.3.1
@dnd-kit/sortable^10.0.0
@dnd-kit/utilities^3.2.2
@hono/node-server^1.13.7
@hookform/resolvers^3.10.0
@lezer/highlight^1.2.3
@mcp-ui/client^5.9.0
@mcpjam/sdk^1.10.1
@modelcontextprotocol/client^2.0.0-alpha.2
@modelcontextprotocol/ext-apps^1.7.2
@ngrok/ngrok^1.6.0
@openrouter/ai-sdk-provider^2.0.2
…and 53 more.