supply_chain_risk
Pack: supply-chain-intel · Endpoint: https://gateway.pipeworx.io/supply-chain-intel/mcp
Score an open-source package for supply-chain risk in one call. Returns a LOW/MEDIUM/HIGH verdict with per-signal evidence — known vulnerabilities (OSV), OpenSSF Scorecard, release recency, license, and source repo — by fanning out across deps.dev, OSV.dev, and the package registry. Covers npm, PyPI, Cargo, and Go. Surfaces the single-maintainer / stale / unscored profiles that npm-audit and star counts miss. No API key needed. Examples: {ecosystem:“npm”, package:“left-pad”}, {ecosystem:“pypi”, package:“requests”}, {ecosystem:“cargo”, package:“tokio”}, {ecosystem:“go”, package:“github.com/gin-gonic/gin”}.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
ecosystem | string | yes | Package ecosystem: npm | pypi | cargo | go. |
package | string | yes | Exact package name. For Go, the full module path (e.g. “github.com/gin-gonic/gin”). |
version | string | no | Optional specific version to inspect. Defaults to the latest/default version. |
Example call
curl -X POST https://gateway.pipeworx.io/supply-chain-intel/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"supply_chain_risk","arguments":{}}}'Connect
Add this to your MCP client config, or use one-click install buttons:
{
"mcpServers": {
"supply-chain-intel": {
"url": "https://gateway.pipeworx.io/supply-chain-intel/mcp"
}
}
}See Getting Started for client-specific install steps.