npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

mrc-audit

v0.1.0

Published

Stateless audit tool for MCP servers, OpenAPI endpoints, and A2A agents. Runs Spectral-style metadata checks, security posture, and CORS probes — 30 seconds, no signup.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

meacheal.aimeacheal.ai

Keywords

mcpauditopenapia2aagent-cardsecuritymonitoringcli

Readme

mrc-audit

Stateless audit tool for MCP servers, OpenAPI endpoints, and A2A agents. Runs in 30 seconds. No signup. No install (works via npx).

Why

If you run an MCP server, an OpenAPI-backed REST API, or an A2A agent, you already worry about three things:

  1. Does my metadata expose internal URLs? (e.g. *.workers.dev in agent-card.json — an actual bug we caught on our own server)
  2. Are my security headers configured? CSP, HSTS, X-Frame, X-Content-Type
  3. Does my CORS allow arbitrary origins with credentials? (the #1 API pwn)

mrc-audit runs these checks — plus metadata field validation for /.well-known/agent-card.json, /.well-known/ai-plugin.json, /openapi.json, and /mcp — against any target URL.

Install (not really — just run)

npx mrc-audit scan https://your-mcp.com

That's it.

Example output

mrc-audit report for https://api.meacheal.ai
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  PASS  12 pass / 0 warn / 0 fail
  Completed in 1847ms

[INFRA]
  ✓ root endpoint                         HTTP 200 (latency=21ms)
  ✓ A2A agent card                        HTTP 200 (latency=28ms)
  ✓ ChatGPT ai-plugin manifest            HTTP 200 (latency=23ms)
  ✓ OpenAPI spec                          HTTP 200 (latency=18ms)
  ✓ MCP metadata                          HTTP 200 (latency=24ms)
  ✓ health endpoint                       HTTP 200 (latency=15ms)

[SECURITY]
  ✓ security headers                      All 4 required headers present, no version leaks
  ✓ CORS posture                          ACAO=(none)

Commands

mrc-audit scan <url>           Run a public audit on the target URL
mrc-audit scan <url> --json    Output raw JSON (for piping to jq)
mrc-audit scanners             List 3rd-party scanners we aggregate
mrc-audit --help               Show help

What's checked (free, public)

  • Root endpoint reachability + latency
  • 5 common metadata endpoints (/.well-known/agent-card.json, /.well-known/ai-plugin.json, /openapi.json, /mcp, /health)
    • JSON field validation
    • URL allowlist (catches workers.dev/herokuapp.com/vercel.app/netlify.app leaks in servers[0].url, api.url, etc.)
    • Forbidden substring scanning
  • Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)
  • Version leak detection (X-Powered-By, Server headers)
  • CORS posture (reflected-origin attack probe, wildcard+credentials detection)

What needs the full audit (paid)

Sign up at https://api.meacheal.ai/audit for:

  • Drift detection — SHA-256 snapshot of your MCP tools / agent-card / OpenAPI paths, diff alert on unauthorized changes
  • SLA ledger — uptime % per check over 30/90 days + p50/p95/p99 latency + SRE-style error-budget burn-down
  • Compliance report — every check mapped to OWASP ASVS 4.0 / API Top 10 / SOC 2 / ISO 27001 / OpenSSF Scorecard / MCP Security
  • Data observability — Monte Carlo-style volume anomaly (7-day rolling baseline) + schema drift + distribution tracking
  • BFLA / BOLA probing — OWASP API 2023 #1 and #5 automated tests
  • Negative-input fuzzing — SQL injection / XSS / path traversal / oversized payload / malformed content-type
  • OSV.dev CVE scanning — dependency vulnerability check
  • BYO rules — 11 declarative predicates, author your own rules via API
  • 3rd-party scanner aggregation — OpenSSF Scorecard, (soon) Cisco mcp-scanner, Snyk, Great Expectations, Schemathesis
  • Alerts — webhook to Slack / PagerDuty / Jira / custom

Strategy: picks-and-shovels for vertical MCP servers

The MCP ecosystem is moving toward vertical-industry servers (supply chain, healthcare, finance, logistics). Each vertical will need audit. mrc-audit is the aggregator — we don't build another scanner, we aggregate all of them into one console.

See AUDIT_PRODUCT_ROADMAP for the full strategy.

License

MIT