Independent trust grade B+ (89/100). Static analysis of npm package mcp-server-npm-plus@1.0.1 (stdio server — no remote endpoint). Reliability/behavioral signals require running it; not measured. wmcp.sh continuously watches npm:mcp-server-npm-plus for tool drift and rug-pulls. The grade is free and identical whether or not the operator pays.
searchSearch npm packages by query. Returns name, version, description, and keywords.
package_infoGet detailed info about an npm package: description, license, repo, dependencies.
downloadsGet download statistics for an npm package.
compare_downloadsCompare download counts across multiple packages.
bundle_sizeGet bundle size (minified + gzip) for an npm package via Bundlephobia.
vulnerabilitiesGet vulnerability info for an npm package. Note: Full audit requires npm audit in project context.
dependency_treeGet dependency tree for an npm package (direct deps only).
download_trendsGet download trends (daily breakdown + sparkline) for an npm package.
We re-grade npm:mcp-server-npm-plus on a schedule and alert your Slack/webhook the moment its tools change or its grade drops — rug-pull insurance for the connection.
Add the wmcp.sh trust oracle as an MCP server and call grade_mcp_server / check_mcp_drift in your agent's pre-connection gate:
https://wmcp.sh/mcp/trust
readOnly vs observed behavior) layer on via the wmcp.sh proxy.