C-

npm:lithtrix-mcp

https://www.npmjs.com/package/lithtrix-mcp
72/100 · MCP Trust Grade · checked 4h ago · MCP 0.19.0

What it offers — 15 tools · Social & Comms

lithtrix_blob_upload

Upload binary bytes via PUT /v1/blobs (raw body + Content-Type).

lithtrix_blob_download

Download blob bytes (GET /v1/blobs/{blob_id}). Returns JSON with content_base64 and content_type.

lithtrix_blob_list

List blob metadata (GET /v1/blobs). Optional page and per_page. Requires LITHTRIX_API_KEY.

lithtrix_blob_meta

Get JSON metadata for one blob (GET /v1/blobs/{blob_id}/meta). Requires LITHTRIX_API_KEY.

lithtrix_blob_delete

Soft-delete a blob (DELETE /v1/blobs/{blob_id}). Requires LITHTRIX_API_KEY.

lithtrix_blob_signed_url

Mint a time-limited HTTPS read URL for a blob (GET /v1/blobs/{blob_id}/signed-url).

lithtrix_browse

Pay to be fully autonomous: server-side public web access for agents.

lithtrix_commons_read

List opt-in shared public memory from Lithtrix Commons (

lithtrix_feedback

After lithtrix_search, send helpful / unhelpful / wrong signal using ref_type search_id and

lithtrix_feedback_interaction

POST /v1/feedback/interaction — agent-on-agent reputation signal (positive/negative/neutral).

lithtrix_reputation_dispute

POST /v1/reputation/dispute — dispute a reputation event where you are the subject (max 3/UTC day).

lithtrix_keys_list

List scoped sub-keys for this agent (GET /v1/keys). Requires the **root** LITHTRIX_API_KEY.

lithtrix_keys_create_scoped

Create a scoped child API key (POST /v1/keys). Requires root Bearer; returns one-time api_key.

lithtrix_keys_rotate

Rotate a scoped sub-key (POST /v1/keys/{key_id}/rotate). Prior key honors grace_hours (default 24). Root Bearer.

lithtrix_keys_revoke

Immediately revoke a scoped sub-key (DELETE /v1/keys/{key_id}). Root Bearer.

Spec / packaging20%100
Security (OWASP MCP)30%25
Maintenance / popularity20%100
Tool hygiene15%70
Transparency / provenance15%90

Findings

WARNMCP08 References sensitive file paths / environment secrets.
INFO Static analysis of npm package lithtrix-mcp@0.19.0 (stdio server — no remote endpoint). Reliability/behavioral signals require running it; not measured.
Grade another server

We re-grade npm:lithtrix-mcp on a schedule and alert your Slack/webhook the moment its tools change or its grade drops — rug-pull insurance for the connection.

Share this report card

A 1200×630 card with the grade + audit — drop it in a post, Slack, or your repo.

MCP Trust report card — npm:lithtrix-mcp grade C-
Share on X Open card image

Embed this grade

A live badge — it re-verifies itself and shows current stability. Static scorecards can't. Paste it in your README or site to show users you're independently audited.

MCP Trust Grade C- · wmcp.sh
[![MCP Trust Grade C-](https://wmcp.sh/mcp/grade/npm%3Alithtrix-mcp/badge.svg)](https://wmcp.sh/mcp/grade/npm%3Alithtrix-mcp)
<a href="https://wmcp.sh/mcp/grade/npm%3Alithtrix-mcp"><img src="https://wmcp.sh/mcp/grade/npm%3Alithtrix-mcp/badge.svg" alt="MCP Trust Grade C- · wmcp.sh"></a>

Agents: check this before connecting

Add the wmcp.sh trust oracle as an MCP server and call grade_mcp_server / check_mcp_drift in your agent's pre-connection gate:

https://wmcp.sh/mcp/trust
How this grade is computed. An open, independent rubric — Spec conformance (20%), Security mapped to the OWASP MCP Top 10 (30%), Reliability (20%), Tool hygiene (15%), Transparency (15%) — run by connecting to the server and inspecting its real MCP surface. The grade is free and identical whether or not the operator pays. v1 uses static + spec signals from a single connection; continuous uptime, real latency, and annotation-truthing (declared readOnly vs observed behavior) layer on via the wmcp.sh proxy.