mcp-skills-vault
Install MCP safely.
Curated registry of 112 servers with pinned hashes, license info, and advisory-feed checks before any install command is written.
Learn →Tools for taming the MCP supply chain.
Two small, offline-first tools for people who run Model Context Protocol servers on their own machines and would like to know what those servers are doing.
mcp-trace
See what it’s doing.
Stdio MITM proxy that pairs JSON-RPC request/response by id and logs metadata to a local SQLite file. Bodies never captured by default.
Learn →No cloud. No telemetry. Same kind of tooling your CI would use, packaged for your laptop.
Why these two together
- Vault answers what to install — integrity-pinned commands, before
npx -yruns. - Trace answers what it’s doing — once installed, which tools actually get called, how long they take, and what they cost in tokens.
- Neither sends anything off your machine. Advisory feeds and registry calls are additive; offline use is the default mode.
Five constraints
Both projects share the same shape:
- Offline-first — the gate you care about runs with no network.
- Minimal — zero runtime deps; Node built-ins only.
- Inspectable — every output has
--json; every entry has an audit trail. - Deterministic — same input, same output, every run.
- Boring — supply-chain tooling should not be exciting.