Is the npm:prompt-to-asset MCP server safe to use?
Independent trust grade B+ (89/100). Static analysis of npm package prompt-to-asset@0.5.1 (stdio server — no remote endpoint). Reliability/behavioral signals require running it; not measured. wmcp.sh continuously watches npm:prompt-to-asset for tool drift and rug-pulls. The grade is free and identical whether or not the operator pays.
What it offers — 25 tools · AI & ML
asset_capabilities
asset_enhance_prompt
asset_generate_logo
asset_generate_app_icon
asset_generate_favicon
asset_generate_og_image
asset_generate_illustration
asset_generate_splash_screen
asset_generate_hero
asset_remove_background
asset_vectorize
asset_upscale_refine
asset_validate
asset_brand_bundle_parse
asset_save_inline_svg
asset_ingest_external
asset_train_brand_lora
asset_doctor
+7 more tools
Spec / packaging20%100
✓ depends on an MCP SDK
✓ declares a bin entry (runnable server)
✓ 25 tool(s) detected in source
Security (OWASP MCP)30%70
uses eval/exec/child_process (review for unsanitized input)
scanned 6 source files
Maintenance / popularity20%100
published within 90 days
7 published versions
Tool hygiene15%95
✓ ships TypeScript types
2 runtime deps
Transparency / provenance15%90
✓ public repository linked
✓ MIT license
163 weekly downloads
Findings
INFO Static analysis of npm package prompt-to-asset@0.5.1 (stdio server — no remote endpoint). Reliability/behavioral signals require running it; not measured.
We re-grade npm:prompt-to-asset on a schedule and alert your Slack/webhook the moment its tools change or its grade drops — rug-pull insurance for the connection.
Share this report card
A 1200×630 card with the grade + audit — drop it in a post, Slack, or your repo.
A live badge — it re-verifies itself and shows current stability. Static scorecards can't. Paste it in your README or site to show users you're independently audited.
Add the wmcp.sh trust oracle as an MCP server and call grade_mcp_server / check_mcp_drift in your agent's pre-connection gate:
https://wmcp.sh/mcp/trust
How this grade is computed. An open, independent rubric — Spec conformance (20%), Security mapped to the OWASP MCP Top 10 (30%), Reliability (20%), Tool hygiene (15%), Transparency (15%) — run by connecting to the server and inspecting its real MCP surface. The grade is free and identical whether or not the operator pays. v1 uses static + spec signals from a single connection; continuous uptime, real latency, and annotation-truthing (declared readOnly vs observed behavior) layer on via the wmcp.sh proxy.