OPEN SOURCE · SECURE · MCP-NATIVE

The secure registry for MCP servers and skills.

Every bundle scanned. Every trust score public. Open source from day one.

Browse bundles · Browse skills · Publish

terminal
$mpak search postgres
NAMEVERSIONTRUST
@mcp/server-postgresv0.6.2L3
@community/pg-adminv1.2.0L2
$mpak install @mcp/server-postgres
Trust: L3 Verified (92/100)
✓ Signed provenance
✓ No dangerous permissions
✓ Dependencies vendored
Installing @mcp/server-postgres@0.6.2... done
$

Built for MCP security

MCPB Format

One standardized package format for all MCP servers. Python, Node, or binary, all installed the same way.

Built-in Security Scans

25 controls, 5 domains. Trust score on every publish. L1 through L4 certification.

Learn about certification →

Open Source Registry

Entire stack is Apache 2.0. Self-hostable with federation, policies, and audit logging.

Want the full security architecture? Read the whitepaper →

Why not npm, PyPI, or Docker Hub?

General-purpose registriesmpak
PackagingLanguage-specific (npm, pip, Docker)One format (MCPB) for all runtimes
Install experienceRequires runtime, deps, configSingle command, zero deps
Security scanningGeneric CVE checksMCP-specific: 25 controls, 5 domains
Trust visibilityNone or hiddenPublic trust score on every package
Enterprise governanceLimited or paid add-onSelf-hostable, federation, audit logs

Extend your AI

Bundles

Capabilities

Pre-built servers that give your AI new abilities. Connect to databases, call APIs, access file systems. Every bundle scanned with 25 security controls.

  • Database access
  • API integrations
  • File operations
mpak bundle pull [package]Browse bundles →

Skills

Expertise

Instructions that teach your AI new behaviors and domain knowledge. Shape how it thinks and responds.

  • Code review patterns
  • Writing styles
  • Domain expertise
mpak skill install @org/skillBrowse skills →

Built something for AI?

Publish bundles or skills to mpak. Security scanning, verified provenance, one-command installs.

Publish a bundle →Publish a skill →

Install the CLI

npm install -g @nimblebrain/mpak

Then run mpak search to get started

Frequently Asked Questions

What is mpak?

mpak is the secure, open-source package registry for MCP servers. Every bundle is scanned with 25 security controls across 5 domains, and trust scores are visible on every package. Think of it as a purpose-built registry for the MCP ecosystem, with security at its core.

What are Bundles?

Bundles are pre-packaged MCP servers that give your AI new capabilities: database access, API integrations, file operations. They contain everything needed to run: binaries, configs, and metadata. Works across macOS, Linux, and Windows.

What are Skills?

Skills are markdown instructions that teach your AI new behaviors and domain expertise: code review patterns, writing styles, specialized knowledge. They follow the Agent Skills specification and work across AI platforms.

How is mpak different from the MCP Registry?

The MCP Registry is a metaregistry that aggregates server listings from multiple sources. mpak is a package registry: it hosts the actual bundles, scans them for security, computes trust scores, and serves them to the CLI. The MCP Registry can point to mpak as a source.

Is mpak open source?

Yes. The registry, CLI, SDK, scanner, and deploy tooling are all Apache 2.0 licensed. mpak.dev is one instance of the registry, but you can self-host your own with federation, policies, and audit logging.

How do I install a package?

First install the CLI: npm install -g @nimblebrain/mpak. Then for bundles: mpak bundle pull @scope/bundle-name. For skills: mpak skill install @scope/skill-name.

Is mpak free to use?

Yes, mpak is completely free for both users and publishers. The registry, CLI tool, and all features are available at no cost.

How do I publish a package?

Add a manifest.json and the mcpb-pack GitHub Action to your repo. When you create a release, the action builds, scans, and publishes automatically. Visit /publish for the full guide.