Commit — Supply Chain Risk Scoring
Server Details
Supply chain risk scoring for npm, PyPI, Cargo, and Go. 9 tools. Behavioral signals.
- Status
- Healthy
- Last Tested
- Transport
- Streamable HTTP
- URL
- Repository
- piiiico/proof-of-commitment
- GitHub Stars
- 6
- Server Listing
- proof-of-commitment
Glama MCP Gateway
Connect through Glama MCP Gateway for full control over tool access and complete visibility into every call.
Full call logging
Every tool call is logged with complete inputs and outputs, so you can debug issues and audit what your agents are doing.
Tool access control
Enable or disable individual tools per connector, so you decide what your agents can and cannot do.
Managed credentials
Glama handles OAuth flows, token storage, and automatic rotation, so credentials never expire on your clients.
Usage analytics
See which tools your agents call, how often, and when, so you can understand usage patterns and catch anomalies.
Tool Definition Quality
Average 4.3/5 across 12 of 12 tools scored. Lowest: 3.2/5.
Every tool has a distinct purpose: audit tools for batch/ tree/ repo auditing, lookup tools for individual package or business profiles, plus API key management and domain querying. No two tools overlap in functionality.
Tool names follow clear patterns: audit_ for auditing actions, lookup_ for profile retrieval, and get_api_key / query_commitment for other operations. The naming is predictable and easy to understand.
With 12 tools, the server is well-scoped for its domain of supply chain risk scoring across multiple ecosystems, plus business lookups and API management. Each tool earns its place.
The tool set covers the full lifecycle: auditing (batch, tree, repo), individual package lookups (npm, PyPI, Cargo, Go, GitHub), business lookups, and domain queries. No obvious gaps for the stated purpose.
Available Tools
12 toolsaudit_dependenciesAInspect
Batch-score multiple npm, PyPI, Cargo, or Go packages for supply chain risk. Takes a list of package names and returns a risk table sorted by commitment score (lowest = highest risk first).
Risk flags:
CRITICAL: single publisher + >10M weekly downloads (publish-access concentration risk)
HIGH: new package (<1yr) + high downloads (unproven, rapid adoption = supply chain risk)
WARN: no release in 12+ months (potential abandonware)
WARN: dormant publishers with current scope access — contributors who stopped publishing but retain npm tokens (Mastra-incident vector, June 2026)
Perfect for auditing a full package.json, requirements.txt, Cargo.toml, or go.mod — paste your dependency list and get a prioritized risk report.
For Go: pass full module paths (e.g., "github.com/gin-gonic/gin", "golang.org/x/net") and set ecosystem="golang". The "maintainers" column shows GitHub contributor count since Go has no centralized publisher concept.
Examples: score all deps in a project, compare two similar packages, identify abandonware before it becomes a CVE.
| Name | Required | Description | Default |
|---|---|---|---|
| packages | Yes | List of package names to score. Up to 20 at once. Examples: ["langchain", "litellm", "openai", "axios"] or ["@anthropic-ai/sdk", "zod", "express"] or ["github.com/gin-gonic/gin", "golang.org/x/net"] for Go modules. | |
| ecosystem | No | Package ecosystem. "auto" detects by naming convention (Python-style = pypi, otherwise npm). Force "npm", "pypi", "cargo", or "golang" to override. Go modules require full path (host/owner/repo) — use "golang". | auto |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
No annotations are provided, so the description carries the transparency burden. It discloses the output (risk table sorted by commitment score) and lists specific risk flags with explanations. It does not mention any destructive side effects, which is appropriate for a read-only audit tool.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is well-structured with a clear opening, bullet-pointed risk flags, and practical examples. It is slightly long but each section adds value, making it appropriately sized for the tool's complexity.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given the lack of an output schema and the tool's multi-ecosystem nature, the description is remarkably complete. It explains the risk categories, ecosystem-specific details (especially Go), and provides concrete use cases, covering all essential information an agent would need.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
The input schema already describes both parameters fully (100% coverage). The description adds value by explaining the risk flags, providing examples for each ecosystem, and clarifying Go module path requirements.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states that the tool batch-scores packages for supply chain risk across four ecosystems (npm, PyPI, Cargo, Go). It distinguishes from siblings like audit_dependency_tree and audit_github_repo by focusing on a list of package names and returning a risk table.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description provides explicit usage context: it's ideal for auditing full dependency files like package.json or requirements.txt and includes examples. However, it does not explicitly say when not to use it or directly compare to sibling tools.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
audit_dependency_treeAInspect
Map the full dependency tree of an npm package and identify CRITICAL supply chain risks at every level.
Unlike auditing a flat list of packages, this tool traverses the dependency graph — showing not just your direct dependencies but also what your dependencies depend on. Hidden CRITICAL packages (sole publisher + >10M weekly downloads) often lurk 1-2 levels deep.
Risk flags:
CRITICAL: single npm publisher + >10M weekly downloads — sole point of failure for a massive attack surface
HIGH: sole publisher + >1M/wk, OR new package (<1yr) with high adoption
WARN: no release in 12+ months (potential abandonware)
depth=1 (default): root package + all direct dependencies depth=2: also traverses one more level for any CRITICAL/HIGH direct deps (reveals hidden exposure)
Examples:
audit_dependency_tree("express") — see all of Express's deps and their risk scores
audit_dependency_tree("langchain", 2) — reveal transitive CRITICAL deps 2 levels deep
audit_dependency_tree("@anthropic-ai/sdk") — audit Anthropic SDK full tree
Use this when someone asks:
"What am I really depending on?"
"Are my dependencies' dependencies safe?"
"Show me the full supply chain risk for package X"
| Name | Required | Description | Default |
|---|---|---|---|
| depth | No | How deep to traverse. 1 = direct deps only (fast). 2 = also traverse deps of CRITICAL/HIGH packages (slower, reveals hidden risk). Default: 1 | |
| package | Yes | npm package name to map. Examples: "express", "langchain", "@anthropic-ai/sdk", "zod" |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
No annotations provided, so description carries full burden. It discloses traversal behavior, risk levels (CRITICAL, HIGH, WARN), and depth parameter effects. Lacks mention of rate limits or authentication, but core behavior is well explained.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
Well-structured with headings, bullet points, and examples. Front-loaded with purpose. While comprehensive, it is slightly verbose; could be tightened without losing meaning.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
No output schema, but description explains what output contains (risk flags, dependency tree). Covers complexity of traversal depth and risk assessment. Differentiates well from sibling tools listed.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema coverage is 100% but description adds significant value: explains risk levels, depth behavior with examples, and usage patterns. Goes well beyond the basic schema descriptions.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the tool maps the full dependency tree of npm packages and identifies supply chain risks. It uses specific verbs ('map', 'identify') and resource ('dependency tree'). It distinguishes from siblings like audit_dependencies and lookup_npm_package by emphasizing graph traversal.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
Provides explicit use cases and example queries ('What am I really depending on?'). Does not explicitly state when not to use or compare with alternatives, but context is clear. A minor gap for full marks.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
audit_github_repoAInspect
Audit the supply chain risk of a GitHub repository's dependencies. Fetches the repo's package.json and/or requirements.txt from GitHub and runs behavioral commitment scoring on every dependency.
This is the fastest way to audit a project — just provide the GitHub URL or owner/repo slug, and get a full risk table in seconds.
Risk flags:
CRITICAL: single publisher/maintainer/owner + >10M weekly downloads (publish-access concentration risk)
HIGH: sole publisher/maintainer + >1M/wk downloads, OR new package (<1yr) with high adoption
WARN: no release in 12+ months (potential abandonware)
Examples:
"vercel/next.js" — audit Next.js dependencies
"https://github.com/langchain-ai/langchainjs" — audit LangChain JS
"facebook/react" — audit React's dependency tree
"anthropics/anthropic-sdk-python" — audit Anthropic Python SDK
Use this when someone asks "is my project at risk?" or "audit this repo's dependencies".
| Name | Required | Description | Default |
|---|---|---|---|
| repo | Yes | GitHub repository to audit. Accepts: "owner/repo", "https://github.com/owner/repo", or any GitHub URL. Examples: "vercel/next.js", "https://github.com/langchain-ai/langchainjs" |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
No annotations provided, so description carries full burden. It explains the process (fetches files, runs scoring) and risk flags, but doesn't mention authentication or side effects. Still strong for a read-only audit tool.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
Well-structured: clear opening sentence, bullet points for risk flags, and several examples. No fluff.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Comprehensive for the tool's complexity: explains inputs, process, output (risk table with flags). No output schema, but description suffices.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Single parameter 'repo' with 100% schema coverage. Description adds value by providing examples and clarifying acceptable formats beyond the schema description.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states it audits supply chain risk by fetching package files and running commitment scoring. It distinguishes from sibling tools like lookup_github_repo and audit_dependencies.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
Explicitly tells when to use: 'fastest way to audit a project', gives usage scenarios ('is my project at risk?'), and provides multiple examples.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
get_api_keyAInspect
Create a free Commit API key instantly — no browser required.
When you've hit the daily free query limit (or just want faster access), call this tool with your email to get an API key returned directly in the chat. The key lifts the rate limit to 200 audits/day and enables package monitoring (weekly alerts when your dependencies get riskier).
After creating the key, configure your MCP client to pass it: Authorization: Bearer sk_commit_
Example: get_api_key({ email: "dev@company.com" })
One key per email. 3 keys per IP per day (anti-abuse).
| Name | Required | Description | Default |
|---|---|---|---|
| Yes | Your email address — used for alert delivery and key recovery. One key per email. |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
With no annotations, the description carries the full burden. It discloses the key's benefits (rate limit lift, package monitoring), how to configure it, and limitations (one per email, 3 per IP per day). It does not explain behavior if called with the same email again, but overall is transparent.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is structured with a clear lead sentence, then usage details, an example, and limitations. Every sentence adds value, though it could be slightly more compact without losing clarity.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given the tool's simplicity, the description covers purpose, usage motivation, example call, post-creation configuration, and limitations. No output schema is provided, but the return value is described. Edge cases like duplicate emails are not addressed, but overall it's fairly complete.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema coverage is 100% with a detailed description. The tool description adds context on why the email is needed (alert delivery, key recovery) and the one-key-per-email rule, which enhances understanding beyond the schema.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the tool creates a free Commit API key. It specifies the verb 'create' and resource 'API key', and distinguishes from sibling tools (audit/lookup) which don't involve key creation.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description explains when to use the tool: when hitting the daily free query limit or wanting faster access. It also sets expectations like one key per email and 3 keys per IP per day. It does not explicitly mention when not to use, but the context is clear.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
lookup_businessAInspect
Search for a Norwegian business and get its commitment profile from public data (Brønnøysund Register Centre). Returns real commitment signals: longevity, financial health, employee count, and overall commitment score (0-100). Data source: Norwegian government registers — free, verified, unfakeable.
| Name | Required | Description | Default |
|---|---|---|---|
| query | Yes | Business name to search for (e.g. 'Peppes Pizza', 'Equinor') |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
With no annotations provided, the description carries the full burden of behavioral disclosure. It effectively describes key behavioral traits: it's a read-only search operation (implied by 'Search' and 'get'), discloses the data source and its characteristics ('free, verified, unfakeable'), and outlines the return content ('commitment signals: longevity, financial health, employee count, and overall commitment score'). It doesn't mention rate limits or authentication needs, but covers the core behavior well.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is efficiently structured in two sentences: the first states the purpose and data source, and the second details the return values and data quality. Every sentence adds value without redundancy, making it front-loaded and appropriately concise for the tool's complexity.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given no annotations and no output schema, the description does a good job of covering the tool's context: it explains the purpose, data source, and return values. However, it doesn't specify the format of the commitment score or other return details, which could be helpful for an agent. It's mostly complete but has minor gaps in output specification.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
The schema description coverage is 100%, with the single parameter 'query' already documented in the schema as 'Business name to search for'. The description doesn't add any additional parameter semantics beyond what the schema provides, such as search syntax or matching behavior. Baseline 3 is appropriate since the schema handles the parameter documentation adequately.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the specific action ('Search for a Norwegian business and get its commitment profile'), identifies the resource ('public data from Brønnøysund Register Centre'), and distinguishes it from siblings by focusing on Norwegian businesses rather than packages or repositories. It provides concrete details about what the tool does beyond just the name.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description implies usage context by specifying it's for Norwegian businesses and mentions the data source, which helps differentiate it from sibling tools like lookup_github_repo or lookup_npm_package. However, it doesn't explicitly state when to use this vs. lookup_business_by_org or query_commitment, leaving some ambiguity about alternatives.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
lookup_business_by_orgAInspect
Look up a specific Norwegian business by organization number (9 digits) and get its commitment profile. Returns temporal, financial, and operational commitment signals from Brønnøysund Register Centre.
| Name | Required | Description | Default |
|---|---|---|---|
| orgNumber | Yes | Norwegian organization number (9 digits, e.g. '984388659') |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
With no annotations provided, the description carries the full burden of behavioral disclosure. It mentions the return data types ('temporal, financial, and operational commitment signals') but lacks details on error handling (e.g., invalid org numbers), rate limits, authentication needs, or response format. For a lookup tool with no annotation coverage, this leaves significant gaps in understanding operational behavior.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is two concise sentences with zero waste: the first sentence states the purpose and input, and the second specifies the output and source. It's front-loaded with key information and efficiently structured.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given no annotations and no output schema, the description provides basic purpose and output types but lacks details on response structure, error cases, or operational constraints. For a simple lookup tool with one parameter, it's minimally adequate but incomplete for reliable agent use without additional context.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema description coverage is 100%, so the schema already fully documents the single required parameter 'orgNumber' with its format. The description adds no additional parameter semantics beyond what's in the schema (e.g., it doesn't clarify if the number includes hyphens or other variations), meeting the baseline for high schema coverage.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the specific action ('Look up'), resource ('Norwegian business'), and key identifier ('by organization number'), distinguishing it from siblings like 'lookup_business' (which lacks the orgNumber specificity) and 'query_commitment' (which likely queries differently). It specifies the exact data source (Brønnøysund Register Centre) and output type ('commitment profile').
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description implies usage when you need commitment data for a Norwegian business via its org number, but it doesn't explicitly state when to use this vs. alternatives like 'lookup_business' (which might use different identifiers) or 'query_commitment' (which might have broader scope). No exclusions or prerequisites are mentioned, leaving some ambiguity.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
lookup_cargo_crateAInspect
Get a behavioral commitment profile for any Rust crate on crates.io. Returns real signals: crate age, download volume (estimated weekly from 90-day totals), version count, publish cadence, owner count (users with publish access), team owners, and linked GitHub activity.
Supply chain risks apply to Cargo too — crate owners with publish access are the attack surface. A single owner on a high-download crate is the same risk pattern as npm.
Useful for: vetting Rust dependencies before adding to Cargo.toml, identifying abandonware, supply chain risk assessment. Examples: "serde", "tokio", "reqwest", "clap", "rand"
| Name | Required | Description | Default |
|---|---|---|---|
| crate | Yes | Crate name on crates.io. Examples: "serde", "tokio", "reqwest", "clap". Case-insensitive. |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
No annotations provided, so description carries full weight. It implies a read-only operation ('Get a profile') and explains the behavioral trait of returning signals. No contradiction or hidden side effects disclosed.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
Concise, front-loaded with purpose, then details, then examples. No unnecessary sentences.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
No output schema, but description enumerates return signals (crate age, download volume, etc.). Adequate for a lookup tool; could mention error handling or rate limits, but not required for basic usage.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Single parameter 'crate' with 100% schema coverage. Description adds examples and notes case-insensitivity, enhancing understanding beyond the schema.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states it 'get[s] a behavioral commitment profile for any Rust crate on crates.io' and lists specific signals returned. This distinguishes it from sibling tools that cover other ecosystems (npm, PyPI) or perform audits.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
Explicitly mentions use cases: 'vetting Rust dependencies before adding to Cargo.toml, identifying abandonware, supply chain risk assessment.' No explicit when-not-to-use, but context is clear.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
lookup_github_repoAInspect
Get a behavioral commitment profile for any public GitHub repository. Returns real signals that prove genuine investment: how long the project has existed, recent commit frequency, contributor community size, release cadence, and social proof. These are behavioral commitments — harder to fake than README claims or marketing copy.
Useful for: vetting open-source dependencies, evaluating AI tools/frameworks, assessing vendor reliability, due diligence on any GitHub project.
Examples: "vercel/next.js", "facebook/react", "https://github.com/piiiico/proof-of-commitment"
| Name | Required | Description | Default |
|---|---|---|---|
| repo | Yes | GitHub repository in "owner/repo" format or full URL. Examples: "vercel/next.js", "https://github.com/facebook/react" |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
With no annotations provided, the description carries the full burden of behavioral disclosure. It clearly describes the tool's behavior: it returns 'real signals that prove genuine investment' such as project age, commit frequency, contributor size, release cadence, and social proof. It also notes these are 'harder to fake than README claims,' indicating the tool's analytical nature. However, it lacks details on rate limits, error handling, or authentication needs, which are minor gaps.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is well-structured and front-loaded, starting with the core purpose, followed by details on returns, usage scenarios, and examples. Most sentences add value, though the explanation of 'behavioral commitments' could be slightly condensed. It efficiently conveys necessary information without redundancy.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given the tool's moderate complexity (single parameter, no output schema, no annotations), the description is largely complete. It covers purpose, behavior, usage, and examples. However, it doesn't detail the output format or potential limitations (e.g., rate limits, error cases), which would enhance completeness for an agent invoking the tool.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
The input schema has 100% description coverage, with the 'repo' parameter well-documented in the schema itself. The description adds minimal value beyond the schema by providing examples in the text (e.g., 'vercel/next.js'), but doesn't explain parameter semantics like format constraints or edge cases. Baseline 3 is appropriate since the schema does the heavy lifting.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description explicitly states the tool's purpose: 'Get a behavioral commitment profile for any public GitHub repository.' It specifies the verb ('Get'), resource ('behavioral commitment profile'), and target ('public GitHub repository'), clearly distinguishing it from sibling tools like audit_github_repo or lookup_npm_package by focusing on behavioral analysis rather than auditing or package-specific lookups.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description provides explicit usage guidance with a 'Useful for:' section listing specific scenarios (e.g., vetting dependencies, evaluating AI tools, due diligence). It also includes examples of valid inputs, helping users understand when to apply this tool versus alternatives like audit_dependencies or lookup_npm_package, though it doesn't explicitly name when-not-to-use cases.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
lookup_go_moduleAInspect
Get a behavioral commitment profile for any Go module on proxy.golang.org. Takes a full module path (e.g., "github.com/gin-gonic/gin", "golang.org/x/net", "k8s.io/client-go", "gopkg.in/yaml.v3") and returns real signals: module age, version count, publish cadence, GitHub contributors (the closest equivalent to "publishers" since Go has no centralized publisher concept — git push access is the publish equivalent), GitHub stars, OpenSSF Scorecard score.
The Go ecosystem has no centralized download counter, so this profile is GitHub-primary — the linked source repository's activity, contributor count, and Scorecard carry more weight than for npm/PyPI/Cargo. Stars are used as the popularity proxy.
Useful for: vetting Go dependencies before adding to go.mod, identifying abandonware, supply chain risk assessment. Examples: "github.com/gin-gonic/gin", "golang.org/x/crypto", "github.com/spf13/cobra", "k8s.io/api"
| Name | Required | Description | Default |
|---|---|---|---|
| module | Yes | Full Go module path. Must include the host. Examples: "github.com/gin-gonic/gin", "golang.org/x/net", "k8s.io/client-go", "gopkg.in/yaml.v3". Case-sensitive (preserves capitalization in path). |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
With no annotations, the description fully carries behavioral disclosure. It explains the tool's reliance on GitHub data, notes the absence of download counters, and clarifies that git push access equates to publishing. This provides strong transparency about what the tool reports and why.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is moderately detailed but well-structured: purpose first, then return signals, ecosystem context, use cases, examples. Every sentence adds useful information; small redundancy could be trimmed but overall effective.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Despite no output schema, the description fully explains what the tool returns (age, version count, etc.) and addresses ecosystem specifics. It covers input, behavior, and use cases comprehensively for a focused tool.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Only one parameter ('module') with 100% schema coverage. The description adds value beyond the schema by providing multiple examples, case-sensitivity note, and requirement for the host, making usage more concrete.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the tool retrieves a 'behavioral commitment profile' for Go modules, specifying input as full module path and listing return signals. It distinctly separates from sibling tools like audit_dependencies and lookup_npm_package by focusing on Go's ecosystem.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
Explicit use cases are given ('vetting Go dependencies... supply chain risk assessment'), explaining the GitHub-primary nature. However, it does not explicitly state when not to use or mention alternative tools, though context implies its specialized role.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
lookup_npm_packageAInspect
Get a behavioral commitment profile for any npm package. Returns real signals that prove genuine investment: package age, download volume and trend (growing/stable/declining), release consistency, npm publisher count, GitHub contributor count, and linked GitHub activity.
Also returns publisherLifecycle — cross-referencing current maintainers against per-version publish history to flag dormant publishers who still hold npm scope access. The Mastra incident (June 2026) exploited exactly this: a contributor dormant since 2024 with never-revoked scope access.
Why behavioral signals matter: download counts, stars, and READMEs can be gamed. Download trend consistency and publisher depth over years are harder to fake. Supply chain attacks often target packages with low publisher depth (few people with npm publish access).
Useful for: vetting dependencies before installation, due diligence on open-source packages, identifying abandonware, checking if a package is actively maintained.
Examples: "langchain", "@anthropic-ai/sdk", "express", "litellm"
| Name | Required | Description | Default |
|---|---|---|---|
| package | Yes | npm package name. Examples: "langchain", "@anthropic-ai/sdk", "express". Scoped packages need the @ prefix. |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
With no annotations provided, the description fully discloses behavioral traits: it returns a behavioral commitment profile, explains signals like publisherLifecycle and the Mastra incident, and the rationale behind behavioral signals. No contradictions or omissions.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is well-structured with a front-loaded purpose, list of returned signals, contextual explanation, use cases, and examples. It includes a slightly verbose anecdote about the Mastra incident but remains focused and adds credibility.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given no output schema, the description adequately explains return values (package age, download trends, publisher lifecycle, etc.). It covers the tool's functionality for its intended use cases, though it could note any limitations like rate limits or error handling.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
The input schema has one parameter with 100% coverage in description. The description adds value by emphasizing the '@' prefix for scoped packages and providing examples, though the schema already includes examples. It adds non-trivial nuance beyond the schema.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the tool's purpose: 'Get a behavioral commitment profile for any npm package.' It lists specific signals returned, distinguishing it from sibling tools like audit_dependencies or lookup_github_repo by focusing on npm-specific behavioral metrics.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description provides explicit use cases: vetting dependencies, due diligence, identifying abandonware, checking maintenance. It explains why behavioral signals matter, but does not explicitly mention when not to use or compare to alternatives among siblings.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
lookup_pypi_packageAInspect
Get a behavioral commitment profile for any PyPI (Python) package. Returns real signals: package age, download volume and trend, release consistency, publisher/owner count, and linked GitHub activity.
Supply chain attacks target Python packages — LiteLLM (97M downloads/mo) was compromised via stolen PyPI token in March 2026. Behavioral signals reveal what star counts hide.
Useful for: vetting Python dependencies, identifying abandonware, supply chain risk due diligence. Examples: "langchain", "litellm", "openai", "anthropic", "requests", "fastapi", "pydantic"
| Name | Required | Description | Default |
|---|---|---|---|
| package | Yes | PyPI package name. Examples: "langchain", "openai", "requests", "fastapi". Case-insensitive. |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
With no annotations, the description carries full burden. It discloses the return signals and mentions behavioral signals reveal what star counts hide, indicating no destructive side effects. However, it does not mention rate limits or authentication needs.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is front-loaded with the main purpose. The LiteLLM anecdote adds context but slightly lengthens it. Every sentence is meaningful, though could be condensed without loss.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given one simple parameter, no output schema, and no nested objects, the description sufficiently explains what the tool returns and its use cases. It is complete for the tool's complexity.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema coverage is 100% for the single parameter 'package'. The description adds value by stating case-insensitivity, providing multiple examples, and explaining the parameter is a PyPI package name.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the tool gets a behavioral commitment profile for PyPI packages, names specific signals (age, downloads, releases), and differentiates from siblings like lookup_npm_package by specifying the Python ecosystem.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description explicitly lists use cases (vetting dependencies, abandonware, supply chain risk) and provides examples. It does not state when not to use this tool versus siblings, but the context is clear.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
query_commitmentBInspect
Query verified behavioral commitment data for a domain. Returns aggregated signals: unique verified visitors, repeat visit rate, and average time spent. These prove real human engagement — harder to fake than reviews or content.
| Name | Required | Description | Default |
|---|---|---|---|
| domain | Yes | The domain to query (e.g. 'example.com'). Will be normalized to lowercase without protocol or path. |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
No annotations are provided, so the description carries the full burden of behavioral disclosure. It describes what the tool returns but does not cover critical behavioral aspects such as whether it's a read-only operation, potential rate limits, authentication requirements, error handling, or data freshness. The mention of 'verified' and 'harder to fake' hints at data reliability but lacks operational details.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is concise and front-loaded, stating the core functionality in the first sentence and adding context in the second. Both sentences earn their place by explaining the tool's purpose and value proposition without redundancy. It could be slightly improved by integrating usage guidance, but it's efficiently structured.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given the tool's moderate complexity (single parameter, no output schema, no annotations), the description is partially complete. It explains what the tool does and its output signals but lacks details on behavioral traits, usage context, and output format. Without annotations or an output schema, more information on return values or operational constraints would enhance completeness.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
The input schema has 100% description coverage for its single parameter ('domain'), so the schema already documents it fully. The description does not add any parameter-specific information beyond what's in the schema, such as examples or constraints, but it does not need to compensate for gaps. Baseline 3 is appropriate as the schema handles the parameter semantics adequately.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the tool's purpose with a specific verb ('query'), resource ('verified behavioral commitment data for a domain'), and output details ('aggregated signals: unique verified visitors, repeat visit rate, and average time spent'). It distinguishes itself from sibling tools like audit_* or lookup_* tools by focusing on behavioral commitment data rather than audits or business/package lookups.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description provides no guidance on when to use this tool versus alternatives. It mentions that the data 'proves real human engagement — harder to fake than reviews or content,' which implies a use case for verifying engagement, but does not specify scenarios, prerequisites, or exclusions compared to sibling tools like lookup_business or audit_dependencies.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
Claim this connector by publishing a /.well-known/glama.json file on your server's domain with the following structure:
{
"$schema": "https://glama.ai/mcp/schemas/connector.json",
"maintainers": [{ "email": "your-email@example.com" }]
}The email address must match the email associated with your Glama account. Once published, Glama will automatically detect and verify the file within a few minutes.
Control your server's listing on Glama, including description and metadata
Access analytics and receive server usage reports
Get monitoring and health status updates for your server
Feature your server to boost visibility and reach more users
For users:
Full audit trail – every tool call is logged with inputs and outputs for compliance and debugging
Granular tool control – enable or disable individual tools per connector to limit what your AI agents can do
Centralized credential management – store and rotate API keys and OAuth tokens in one place
Change alerts – get notified when a connector changes its schema, adds or removes tools, or updates tool definitions, so nothing breaks silently
For server owners:
Proven adoption – public usage metrics on your listing show real-world traction and build trust with prospective users
Tool-level analytics – see which tools are being used most, helping you prioritize development and documentation
Direct user feedback – users can report issues and suggest improvements through the listing, giving you a channel you would not have otherwise
The connector status is unhealthy when Glama is unable to successfully connect to the server. This can happen for several reasons:
The server is experiencing an outage
The URL of the server is wrong
Credentials required to access the server are missing or invalid
If you are the owner of this MCP connector and would like to make modifications to the listing, including providing test credentials for accessing the server, please contact support@glama.ai.
Discussions
No comments yet. Be the first to start the discussion!
Your Connectors
Sign in to create a connector for this server.