# proof-of-commitment MCP server Behavioral trust scoring: domains, GitHub repos, npm, PyPI packages. ## Links - Registry page: https://www.getdrio.com/mcp/io-github-piiiico-proof-of-commitment - Repository: https://github.com/piiiico/proof-of-commitment ## Install - Endpoint: https://poc-backend.amdal-dev.workers.dev/mcp - Auth: Not captured ## Setup notes - Remote endpoint: https://poc-backend.amdal-dev.workers.dev/mcp ## Tools - query_commitment - Query verified behavioral commitment data for a domain. Returns aggregated signals: unique verified visitors, repeat visit rate, and average time spent. These prove real human engagement — harder to fake than reviews or content. Endpoint: https://poc-backend.amdal-dev.workers.dev/mcp - lookup_business - Search for a Norwegian business and get its commitment profile from public data (Brønnøysund Register Centre). Returns real commitment signals: longevity, financial health, employee count, and overall commitment score (0-100). Data source: Norwegian government registers — free, verified, unfakeable. Endpoint: https://poc-backend.amdal-dev.workers.dev/mcp - lookup_business_by_org - Look up a specific Norwegian business by organization number (9 digits) and get its commitment profile. Returns temporal, financial, and operational commitment signals from Brønnøysund Register Centre. Endpoint: https://poc-backend.amdal-dev.workers.dev/mcp - lookup_github_repo - Get a behavioral commitment profile for any public GitHub repository. Returns real signals that prove genuine investment: how long the project has existed, recent commit frequency, contributor community size, release cadence, and social proof. These are behavioral commitments — harder to fake than README claims or marketing copy. Useful for: vetting open-source dependencies, evaluating AI tools/frameworks, assessing vendor reliability, due diligence on any GitHub project. Examples: "vercel/next.js", "facebook/react", "https://github.com/piiiico/proof-of-commitment" Endpoint: https://poc-backend.amdal-dev.workers.dev/mcp - lookup_npm_package - Get a behavioral commitment profile for any npm package. Returns real signals that prove genuine investment: package age, download volume and trend (growing/stable/declining), release consistency, npm publisher count, GitHub contributor count, and linked GitHub activity. Why behavioral signals matter: download counts, stars, and READMEs can be gamed. Download *trend* consistency and publisher depth over years are harder to fake. Supply chain attacks often target packages with low publisher depth (few people with npm publish access). Useful for: vetting dependencies before installation, due diligence on open-source packages, identifying abandonware, checking if a package is actively maintained. Examples: "langchain", "@anthropic-ai/sdk", "express", "litellm" Endpoint: https://poc-backend.amdal-dev.workers.dev/mcp - lookup_pypi_package - Get a behavioral commitment profile for any PyPI (Python) package. Returns real signals: package age, download volume and trend, release consistency, publisher/owner count, and linked GitHub activity. Supply chain attacks target Python packages — LiteLLM (97M downloads/mo) was compromised via stolen PyPI token in March 2026. Behavioral signals reveal what star counts hide. Useful for: vetting Python dependencies, identifying abandonware, supply chain risk due diligence. Examples: "langchain", "litellm", "openai", "anthropic", "requests", "fastapi", "pydantic" Endpoint: https://poc-backend.amdal-dev.workers.dev/mcp - lookup_cargo_crate - Get a behavioral commitment profile for any Rust crate on crates.io. Returns real signals: crate age, download volume (estimated weekly from 90-day totals), version count, publish cadence, owner count (users with publish access), team owners, and linked GitHub activity. Supply chain risks apply to Cargo too — crate owners with publish access are the attack surface. A single owner on a high-download crate is the same risk pattern as npm. Useful for: vetting Rust dependencies before adding to Cargo.toml, identifying abandonware, supply chain risk assessment. Examples: "serde", "tokio", "reqwest", "clap", "rand" Endpoint: https://poc-backend.amdal-dev.workers.dev/mcp - lookup_go_module - Get a behavioral commitment profile for any Go module on proxy.golang.org. Takes a full module path (e.g., "github.com/gin-gonic/gin", "golang.org/x/net", "k8s.io/client-go", "gopkg.in/yaml.v3") and returns real signals: module age, version count, publish cadence, GitHub contributors (the closest equivalent to "publishers" since Go has no centralized publisher concept — git push access is the publish equivalent), GitHub stars, OpenSSF Scorecard score. The Go ecosystem has no centralized download counter, so this profile is GitHub-primary — the linked source repository's activity, contributor count, and Scorecard carry more weight than for npm/PyPI/Cargo. Stars are used as the popularity proxy. Useful for: vetting Go dependencies before adding to go.mod, identifying abandonware, supply chain risk assessment. Examples: "github.com/gin-gonic/gin", "golang.org/x/crypto", "github.com/spf13/cobra", "k8s.io/api" Endpoint: https://poc-backend.amdal-dev.workers.dev/mcp - audit_dependencies - Batch-score multiple npm, PyPI, Cargo, or Go packages for supply chain risk. Takes a list of package names and returns a risk table sorted by commitment score (lowest = highest risk first). Risk flags: - CRITICAL: single publisher + >10M weekly downloads (publish-access concentration risk) - HIGH: new package (<1yr) + high downloads (unproven, rapid adoption = supply chain risk) - WARN: low publisher count + high downloads Perfect for auditing a full package.json, requirements.txt, Cargo.toml, or go.mod — paste your dependency list and get a prioritized risk report. For Go: pass full module paths (e.g., "github.com/gin-gonic/gin", "golang.org/x/net") and set ecosystem="golang". The "maintainers" column shows GitHub contributor count since Go has no centralized publisher concept. Examples: score all deps in a project, compare two similar packages, identify abandonware before it becomes a CVE. Endpoint: https://poc-backend.amdal-dev.workers.dev/mcp - audit_github_repo - Audit the supply chain risk of a GitHub repository's dependencies. Fetches the repo's package.json and/or requirements.txt from GitHub and runs behavioral commitment scoring on every dependency. This is the fastest way to audit a project — just provide the GitHub URL or owner/repo slug, and get a full risk table in seconds. Risk flags: - CRITICAL: single publisher/maintainer/owner + >10M weekly downloads (publish-access concentration risk) - HIGH: sole publisher/maintainer + >1M/wk downloads, OR new package (<1yr) with high adoption - WARN: no release in 12+ months (potential abandonware) Examples: - "vercel/next.js" — audit Next.js dependencies - "https://github.com/langchain-ai/langchainjs" — audit LangChain JS - "facebook/react" — audit React's dependency tree - "anthropics/anthropic-sdk-python" — audit Anthropic Python SDK Use this when someone asks "is my project at risk?" or "audit this repo's dependencies". Endpoint: https://poc-backend.amdal-dev.workers.dev/mcp - audit_dependency_tree - Map the full dependency tree of an npm package and identify CRITICAL supply chain risks at every level. Unlike auditing a flat list of packages, this tool traverses the dependency graph — showing not just your direct dependencies but also what your dependencies depend on. Hidden CRITICAL packages (sole publisher + >10M weekly downloads) often lurk 1-2 levels deep. Risk flags: - CRITICAL: single npm publisher + >10M weekly downloads — sole point of failure for a massive attack surface - HIGH: sole publisher + >1M/wk, OR new package (<1yr) with high adoption - WARN: no release in 12+ months (potential abandonware) depth=1 (default): root package + all direct dependencies depth=2: also traverses one more level for any CRITICAL/HIGH direct deps (reveals hidden exposure) Examples: - audit_dependency_tree("express") — see all of Express's deps and their risk scores - audit_dependency_tree("langchain", 2) — reveal transitive CRITICAL deps 2 levels deep - audit_dependency_tree("@anthropic-ai/sdk") — audit Anthropic SDK full tree Use this when someone asks: - "What am I really depending on?" - "Are my dependencies' dependencies safe?" - "Show me the full supply chain risk for package X" Endpoint: https://poc-backend.amdal-dev.workers.dev/mcp ## Resources Not captured ## Prompts Not captured ## Metadata - Owner: io.github.piiiico - Version: 0.6.0 - Runtime: Streamable Http - Transports: HTTP - License: Not captured - Language: Not captured - Stars: Not captured - Updated: Apr 5, 2026 - Source: https://registry.modelcontextprotocol.io