Launch risk: medium
The package can run locally, but directory metadata and install docs need cleanup before public submission.
Sample deliverable
MCP server launch check.
Example report for a fictional pre-release npm MCP server. This shows the format, not a real client finding.
Repo plus npm smoke test
Read-only repo pass, npm package metadata, MCP client config, README, release tag, and one local tool-list smoke test.
Fix registry trust first
Add ownership metadata, pin the package version, and document what each tool reads or changes.
Findings
Ranked by what blocks users and directories.
npm package is missing the MCP ownership marker
Evidence: package.json has no mcpName, while the registry submission name is set to io.github.example/toolbox.
Impact: Official registry publishing can fail because the package does not prove it belongs to the submitted MCP server name.
Fix: Add "mcpName": "io.github.example/toolbox" to package.json, then publish a new npm patch version.
server.json uses a floating package version
Evidence: The package entry points to latest instead of the exact npm version being submitted.
Impact: Directory reviewers and users cannot reproduce the same install that was tested.
Fix: Pin packages[0].version to the published npm version and keep it aligned with the GitHub release tag.
README lacks a copyable MCP client config
Evidence: Install docs show npm install, but no mcpServers JSON for stdio clients.
Impact: Users have to infer the command and arguments, which creates support churn and failed first runs.
Fix: Add a tested mcpServers block using npx --yes --package package-name package-bin.
Tool safety notes are too vague for agent approval
Evidence: The README says the server can "manage project files" without separating read-only actions from writes.
Impact: Users and agent clients cannot tell which actions need review before approval.
Fix: Add a short tool table that states inputs, filesystem access, network calls, write behavior, and required secrets.
Fix order
Smallest useful patch pass.
Align names and versions
Add mcpName, pin server.json, verify repository metadata, and publish a patch release.
Document install path
Add tested stdio config, npm install command, expected tool list, and troubleshooting notes for first run.
Clarify permissions
Mark which tools are read-only, which can modify state, and which secrets or accounts are required.
Want this format for your MCP server?