fixed-scope MCP launch review

MCP servers should install cleanly before strangers try them.

A practical review for open-source MCP packages: package identity, server.json, npm install path, client config, tool-safety notes, smoke-test proof, and directory submission readiness.

pay $99 review send repo first free self-check sample report

scope: one MCP repo
price: $99
output: prioritized launch report

review sample

$ npx --yes shipcheck-cli .
[MEDIUM] MCP package is missing server.json
[MEDIUM] README lacks copyable client config
[LOW] Package version is not tied to a release tag

next:
1. add registry metadata
2. pin package install path
3. document permissions and side effects
4. record a clean client smoke test

scope

$99 launch review for one MCP server repo.

payment details

review

MCP launch review

$99

Shipcheck report with MCP-specific findings
package.json, package identity, and server.json review
npm install and MCP client config smoke test
README install steps and tool-safety note cleanup
short prioritized fix list or patch notes
registry and directory submission notes

pay $99 send repo details

patch

Follow-up patch pass

from $150

metadata and README fixes
copyable client config examples
package release checklist
one follow-up smoke test
fixed quote before changes

ask for quote

what gets checked

Small launch details decide whether a package feels trustworthy.

identity

Registry metadata

Checks package name consistency, repository metadata, version trail, runtime command, and transport entry.

install

Install path

Runs the package the way users will run it and verifies the server exposes tools through a client connection.

permissions

Tool safety

Looks for clear notes about what tools read, write, modify, call over the network, or require users to approve.

submission

Directory readiness

Prepares the repo for listing paths like npm, GitHub releases, MCP directories, and registry-driven discovery.

trust

Publish evidence

Checks whether package ownership, release tags, and build provenance are easy for technical buyers to inspect.

network

Boundary notes

Calls out unclear filesystem access, shell usage, network calls, token handling, and remote-server assumptions.

current reference points

The review tracks where the ecosystem is moving now.

npm

Trusted Publisher setup

npm documents trusted publishing as an OIDC relationship between package and CI provider, with short-lived publish credentials.

npm trusted publishers

mcp

Server metadata

The official registry docs use server.json to describe remote servers and package-backed installs.

MCP registry docs

security

Implementation risk

MCP security guidance highlights implementation-specific risks, including confused deputy patterns and SSRF boundaries.

MCP security guidance

proof

Smoke test trail

A clean launch report should include the command, client config, observed tool list, and any permissions a user must grant.

sample report

ready to send

Pay $99, then send the repo or npm package link for review.

Or email the repo first if you want scope confirmed before payment.

pay with PayPal