godot-mcp-native

SUSPICIOUS. The core capabilities match the stated purpose of controlling a Godot project, so this is not fundamentally deceptive. Main concerns are proportionality and trust-chain: a local HTTP control server with authentication disabled by default, powerful script/runtime execution features, and an extra npm/npx bridge from a different package. Overall this looks coherent but materially risky rather than outright malicious.