npm:cws-mcp

Item: npm:cws-mcp
Rating: 75
Author: wmcp.sh

https://www.npmjs.com/package/cws-mcp

75/100 · MCP Trust Grade · checked 2h ago · MCP 1.4.2

What it offers — 8 tools · Cloud & DevOps

upload

Upload a ZIP file to update an existing Chrome Web Store item draft. Note: Creating new items via API is not supported in v2 — use the Developer Dashb

publish

Publish an extension to Chrome Web Store. Supports immediate publish, staged publish, initial deploy percentage, and skip-review.

status

Fetch the current status of an extension on Chrome Web Store. Returns published/submitted revision status, deploy percentage, version, takedown/warnin

cancel

Cancel a pending submission on Chrome Web Store. Can be used to cancel an item currently in review.

deploy-percentage

Set the published deploy percentage for staged rollout on Chrome Web Store. The new percentage must be higher than the current target. Only available

get

Get the current metadata of a Chrome Web Store item (v1.1 API). Returns title, description, category, and other listing fields. Note: v1 API is deprec

update-metadata

Update the store listing metadata of a Chrome Web Store item (v1.1 API). Supports both common fields and raw metadata payload for advanced fields. Not

update-metadata-ui

Update listing metadata via Chrome Web Store dashboard UI automation (Playwright). Use this when API metadata updates are not reflected, or as the pri

Spec / packaging20%100

✓ depends on an MCP SDK
✓ declares a bin entry (runnable server)
✓ 8 tool(s) detected in source

Security (OWASP MCP)30%25

⚠ references sensitive file paths / env secrets
scanned 1 source file

Maintenance / popularity20%100

published within 90 days
7 published versions

Tool hygiene15%95

✓ ships TypeScript types
3 runtime deps

Transparency / provenance15%90

✓ public repository linked
✓ MIT license
26 weekly downloads

Findings

WARNMCP08 References sensitive file paths / environment secrets.

INFO Static analysis of npm package cws-mcp@1.4.2 (stdio server — no remote endpoint). Reliability/behavioral signals require running it; not measured.

Grade another server

We re-grade npm:cws-mcp on a schedule and alert your Slack/webhook the moment its tools change or its grade drops — rug-pull insurance for the connection.

Share this report card

A 1200×630 card with the grade + audit — drop it in a post, Slack, or your repo.

MCP Trust report card — npm:cws-mcp grade C

Share on X Open card image

https://wmcp.sh/mcp/grade/npm%3Acws-mcp

Embed this grade

A live badge — it re-verifies itself and shows current stability. Static scorecards can't. Paste it in your README or site to show users you're independently audited.

Markdown (for your README)

[![MCP Trust Grade C](https://wmcp.sh/mcp/grade/npm%3Acws-mcp/badge.svg)](https://wmcp.sh/mcp/grade/npm%3Acws-mcp)

HTML

<a href="https://wmcp.sh/mcp/grade/npm%3Acws-mcp"><img src="https://wmcp.sh/mcp/grade/npm%3Acws-mcp/badge.svg" alt="MCP Trust Grade C · wmcp.sh"></a>

Agents: check this before connecting

Add the wmcp.sh trust oracle as an MCP server and call grade_mcp_server / check_mcp_drift in your agent's pre-connection gate:

https://wmcp.sh/mcp/trust

How this grade is computed. An open, independent rubric — Spec conformance (20%), Security mapped to the OWASP MCP Top 10 (30%), Reliability (20%), Tool hygiene (15%), Transparency (15%) — run by connecting to the server and inspecting its real MCP surface. The grade is free and identical whether or not the operator pays. v1 uses static + spec signals from a single connection; continuous uptime, real latency, and annotation-truthing (declared readOnly vs observed behavior) layer on via the wmcp.sh proxy.