Is the npm:@scanbim-labs/scanbim-mcp MCP server safe to use?
Independent trust grade C+ (79/100). Static analysis of npm package @scanbim-labs/scanbim-mcp@1.0.6 (stdio server — no remote endpoint). Reliability/behavioral signals require running it; not measured. wmcp.sh continuously watches npm:@scanbim-labs/scanbim-mcp for tool drift and rug-pulls. The grade is free and identical whether or not the operator pays.
What it offers — 30 tools · Developer Tools
scanbim-mcp
upload_model
detect_clashes
get_viewer_link
list_models
get_model_metadata
get_supported_formats
acc_list_projects
acc_create_issue
acc_create_rfi
acc_list_issues
acc_list_rfis
acc_search_documents
acc_project_summary
xr_launch_vr_session
xr_launch_ar_session
xr_list_sessions
twinmotion_render
+12 more tools
Spec / packaging20%50
no recognized MCP SDK dependency
no bin entry
✓ 30 tool(s) detected in source
Security (OWASP MCP)30%90
no high-risk patterns in sampled source
scanned 6 source files
Maintenance / popularity20%92
published within 90 days
2 published versions
Tool hygiene15%70
no TypeScript types
0 runtime deps
Transparency / provenance15%90
✓ public repository linked
✓ MIT license
13 weekly downloads
Findings
INFO Static analysis of npm package @scanbim-labs/scanbim-mcp@1.0.6 (stdio server — no remote endpoint). Reliability/behavioral signals require running it; not measured.
We re-grade npm:@scanbim-labs/scanbim-mcp on a schedule and alert your Slack/webhook the moment its tools change or its grade drops — rug-pull insurance for the connection.
Share this report card
A 1200×630 card with the grade + audit — drop it in a post, Slack, or your repo.
A live badge — it re-verifies itself and shows current stability. Static scorecards can't. Paste it in your README or site to show users you're independently audited.
Add the wmcp.sh trust oracle as an MCP server and call grade_mcp_server / check_mcp_drift in your agent's pre-connection gate:
https://wmcp.sh/mcp/trust
How this grade is computed. An open, independent rubric — Spec conformance (20%), Security mapped to the OWASP MCP Top 10 (30%), Reliability (20%), Tool hygiene (15%), Transparency (15%) — run by connecting to the server and inspecting its real MCP surface. The grade is free and identical whether or not the operator pays. v1 uses static + spec signals from a single connection; continuous uptime, real latency, and annotation-truthing (declared readOnly vs observed behavior) layer on via the wmcp.sh proxy.