
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
@stora-sh/mcp
Advanced tools
Stora MCP Server — App Store screenshots, ASO, compliance and submission tools for Claude Code, Cursor, Antigravity and any MCP-compatible client
Stora's Model Context Protocol server. Exposes screenshots, ASO, compliance, and submission tooling to any MCP-compatible client: Claude Code, Cursor, Antigravity, Zed, Windsurf, ChatGPT Desktop.
Stora is the post-code layer. Your IDE writes code;
storahandles screenshots, compliance, metadata, and submission.
npm install -g @stora-sh/mcp
# or
npx @stora-sh/mcp
Grab an API key at https://stora.sh/settings/api-keys. Keys look like sk_stora_….
export STORA_API_KEY=sk_stora_…
For local dev against a self-hosted stora instance:
export STORA_BASE_URL=http://localhost:3000/api/v1
Add to ~/.claude/mcp_servers.json (or the equivalent per-project file):
{
"mcpServers": {
"stora": {
"command": "npx",
"args": ["@stora-sh/mcp"],
"env": { "STORA_API_KEY": "sk_stora_…" }
}
}
}
Settings → MCP → Add:
{
"stora": {
"command": "npx",
"args": ["@stora-sh/mcp"],
"env": { "STORA_API_KEY": "sk_stora_…" }
}
}
Same pattern — npx @stora-sh/mcp with STORA_API_KEY in env.
| Tool | What it does |
|---|---|
stora_list_projects | List every Stora project the key can access. |
stora_get_project | Fetch a single project by ID (via listProjects + filter). |
stora_get_metadata | Read active App Store + Play metadata + ASO profile. |
stora_update_metadata | Create a new active metadata version. |
stora_list_screenshots | List screenshot collections for a project. |
stora_generate_screenshots | Start a cloud capture run. |
stora_get_screenshots | Get raw + generated screenshots for a collection. |
stora_check_compliance | Trigger a compliance scan. |
stora_get_compliance_results | Full scan results with issues + scores. |
stora_record_local_submission | Bookkeeping only — does NOT submit to Apple/Google. See below. |
stora_get_status | Latest submission + active version state. |
stora_record_local_submission wraps POST /api/v1/projects/:id/submit, which only writes a local submissions row. It does not transmit to App Store Connect or Google Play. For real App Store submission, use the Stora dashboard or call /api/apple/submit-for-review directly. Google Play write-path via v1 is not yet implemented.
proj_abc123. When it finishes, summarize the critical issues."proj_abc123 on iPhone 17 Pro and iPad Pro 13, then wait for the collection to complete."proj_abc123."npm install
npm run build
npm test
MIT
FAQs
Stora MCP Server — App Store screenshots, ASO, compliance and submission tools for Claude Code, Cursor, Antigravity and any MCP-compatible client
We found that @stora-sh/mcp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.