Currently, semble install will set the mcp as uvx --from 'semble[mcp]' semble, and will suggest uvx fallbacks in AGENTS.md and subagents.
This, however, leaves users vulnerable to supply chain attacks. If someone takes over the package, agents will install and execute the compromised package.
Semble install should pin to its own version.
Currently, semble install will set the mcp as
uvx --from 'semble[mcp]' semble, and will suggestuvxfallbacks in AGENTS.md and subagents.This, however, leaves users vulnerable to supply chain attacks. If someone takes over the package, agents will install and execute the compromised package.
Semble install should pin to its own version.