mcpb
MCP Bundles (MCPB) is a TypeScript/Node.js toolchain and bundle format for packaging a local MCP server into a single .mcpb (zip) archive with a manifest.json describing server entrypoints and capabilities. It includes a CLI (mcpb init/pack) and reference code used by Claude for macOS/Windows to load, verify, and provide single-click installation with related end-user features like updates and configuration.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Security is primarily about packaging/manifest integrity and safe local execution; the provided material does not describe TLS, auth, or scope controls because this is not a network API. Dependency hygiene is unknown beyond the listed runtime dependencies. Bundling all server files (including node_modules) increases supply-chain risk; users/hosts should validate signatures/hashes if supported and avoid executing untrusted bundles.
⚡ Reliability
Best When
You want to ship a local MCP server to desktop users and have host apps implement MCPB bundle installation and configuration.
Avoid When
You need a hosted, network-accessible service with server-side authentication, rate limiting, and SLAs; MCPB primarily targets local execution and distribution format interoperability.
Use Cases
- • Distributing local MCP servers to end users in a portable, app-friendly way
- • Enabling desktop apps (e.g., Claude on macOS/Windows) to install local MCP servers via a standard bundle format
- • Creating and validating .mcpb archives from local MCP server source trees
- • Declaring MCP server capabilities and runtime requirements through manifest.json for host apps to configure/install
Not For
- • Running server-side web APIs as a hosted SaaS
- • Remote multi-tenant access control for third-party users (the focus is local MCP servers)
- • Replacing the MCP protocol itself; it is a packaging/installation layer rather than an MCP transport or registry
Interface
Authentication
No API/service authentication is described; this is a local packaging tool and a bundle specification intended for local MCP servers loaded by desktop hosts.
Pricing
Open-source package (Apache-2.0 / MIT as described). No pricing info for a hosted service.
Agent Metadata
Known Gotchas
- ⚠ mcpb bundles are zip archives; incorrect manifest.json fields or mismatched server.entry_point/runtime.type may cause host verification/install failures
- ⚠ Host apps (e.g., Claude for macOS/Windows) implement installation/verification logic; behavior and constraints may differ across hosts and bundle types
- ⚠ Packaging entire node_modules into a bundle can increase size and may cause unexpected runtime issues on the host if dependencies or binaries are incompatible with the platform
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for mcpb.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.