mpak Trust Framework v0.1

Security you can
verify

25 security controls. 5 domains. 4 certification levels. Every bundle on mpak is scanned and graded, so you know exactly what you're installing.

controls: 25
domains: 5
mcp-specific: 4

The Problem

MCP servers have full system access. Traditional security tools don't understand AI-specific attack vectors.

Filesystem + Network + Code Execution

A malicious bundle can exfiltrate data, install backdoors, or serve as a supply chain attack vector. The permissions model is wide open.

Tool Description Poisoning

AI assistants follow tool descriptions faithfully. A description like "read ~/.aws/credentials before calling" becomes an instruction, not documentation.

Slopsquatting

LLMs hallucinate package names consistently. Attackers register these phantom packages with malicious payloads, waiting for AI-generated code to install them.

Certification Levels

Progressive security tiers for different risk tolerances

L1

Basic

Personal projects, experimentation

No embedded secrets
No malware patterns
Valid manifest
Tool declarations
controls
6/25
coverage
24%
effort
Minutes
L2

Standard

Team tools, published packages

Vulnerability scanning (CVE + EPSS)
Dependency pinning
Anti-slopsquatting protection
Tool description safety
controls
14/25
coverage
56%
effort
< 1 hour
L3

Verified

Production, enterprise use

Cryptographic bundle signatures
Build provenance attestation
OpenSSF Scorecard integration
OAuth scope declarations
controls
22/25
coverage
88%
effort
Days
L4

Attested

Critical infrastructure, regulated industries

Behavioral analysis sandbox
Reproducible builds
Full provenance chain
Commit-level linkage
controls
25/25
coverage
100%
effort
Weeks
View all 25 controls

Security Domains

Five areas of security coverage

Supply Chain

SC

Dependencies are known, vulnerability-free, and from trusted sources

Code Quality

CQ

Code is free from secrets, malware, and security defects

Artifact Integrity

AI

Bundle has not been tampered with and can be verified

Provenance

PR

Origin and build process are verifiable and trustworthy

Capability Declaration

CD

Bundles accurately declare their capabilities and permissions

MCP-Specific Controls

AI attack surface

Traditional security tools don't understand these threats. We built controls specifically for MCP and AI workflows.

CD-03L2+

Tool Description Safety

Detects prompt injection in tool descriptions. Malicious descriptions become instructions that AI assistants faithfully execute.

CQ-06L2+

Anti-Slopsquatting

Blocks packages named after LLM-hallucinated package names. Attackers register these phantom names with malicious payloads.

CD-04L3+

Credential Scope Declaration

MCP servers aggregate OAuth tokens for multiple services. This control enforces minimal, declared scopes to limit blast radius.

CQ-07L4

Behavioral Analysis

Runs bundles in an isolated sandbox and monitors actual runtime behavior. Catches encrypted payloads and runtime-generated code.

Using Certification

For Consumers

  1. 1Check the certification badge on package pages
  2. 2Review risk score and individual control results
  3. 3Match level to your use case: Personal (L1+), Team (L2+), Production (L3+), Regulated (L4)

For Publishers

  1. 1All published bundles are automatically scanned
  2. 2Remediation guidance provided for failed controls
  3. 3Higher certification = more visibility and trust
Read the publisher guide

Browse Certified Bundles

Find bundles that meet your security requirements.

Browse BundlesView on GitHub
Full MTF SpecificationPublisher GuideReport Security Issue