Is the npm:@sathergate/notifykit MCP server safe to use?
Independent trust grade C- (70/100). References sensitive file paths / environment secrets. wmcp.sh continuously watches npm:@sathergate/notifykit for tool drift and rug-pulls. The grade is free and identical whether or not the operator pays.
What it offers — 3 tools · Productivity
herald_init
Scaffolds a herald.config.ts in a project directory with provider configuration. Auto-detects Twilio and Resend if installed or env vars are set.
herald_send
Send a notification via notifykit. Returns instructions for configuring providers if the project is not yet set up.
herald_test
Generate a test notification code snippet for a specific channel. Returns ready-to-run code for testing your notifykit setup.
INFO Static analysis of npm package @sathergate/notifykit@0.1.0 (stdio server — no remote endpoint). Reliability/behavioral signals require running it; not measured.
We re-grade npm:@sathergate/notifykit on a schedule and alert your Slack/webhook the moment its tools change or its grade drops — rug-pull insurance for the connection.
Share this report card
A 1200×630 card with the grade + audit — drop it in a post, Slack, or your repo.
A live badge — it re-verifies itself and shows current stability. Static scorecards can't. Paste it in your README or site to show users you're independently audited.
Add the wmcp.sh trust oracle as an MCP server and call grade_mcp_server / check_mcp_drift in your agent's pre-connection gate:
https://wmcp.sh/mcp/trust
How this grade is computed. An open, independent rubric — Spec conformance (20%), Security mapped to the OWASP MCP Top 10 (30%), Reliability (20%), Tool hygiene (15%), Transparency (15%) — run by connecting to the server and inspecting its real MCP surface. The grade is free and identical whether or not the operator pays. v1 uses static + spec signals from a single connection; continuous uptime, real latency, and annotation-truthing (declared readOnly vs observed behavior) layer on via the wmcp.sh proxy.