How does MCP Skills trust scoring work?

Every repo or package is evaluated across 4 dimensions — Alive (is it maintained?), Legit (who made it?), Solid (is it secure?), and Usable (can I work with it?). Each dimension combines multiple signals from the GitHub API, npm registry, OpenSSF Scorecard, and our analysis engine to produce a composite score from 0 to 10. Accepts GitHub repos, npm packages, Smithery URLs, and OpenClaw skills.

When MCP Skills detects an AI agent skill or MCP server, the algorithm shifts to Skills Mode. Security weight increases and two additional signals activate: Skill Spec Compliance and Tool Safety. The safety scanner checks for prompt injection, shell execution, credential access, network exfiltration, and obfuscated payloads — the exact attack patterns used in ClawHavoc.

What are the trust tiers?

Repos are assigned one of three trust tiers: Verified (score 7.0+ with strong dimensions across all 4 areas — safe to build on), Established (score 4.5+ — solid but check the details), or New (below threshold — promising but unproven). A fourth tier, Blocked, applies when critical safety concerns are detected.

Is the free scan really free?

Yes. Free scans show the trust tier badge, all 4 dimension scores, and a one-line rationale. Free tier includes the public directory, public score pages, badge embeds, and 10 scans per day. No account required. Single full reports are $2 each; Developer Pro adds full reports, batch API, monitoring, and agent workflows.

What are the limitations of trust scoring?

MCP Skills performs static analysis — source code pattern matching, GitHub metadata, and OpenSSF Scorecard data. It does not yet monitor runtime behavior, multi-step agent chain context leaks, or dynamically fetched payloads. A high score means strong static indicators, but no automated tool catches everything. Runtime observability and tool call auditing are on our roadmap.

The pre-install trust layer for MCP servers and AI skills.

Check any MCP server before you install it.

MCPSkills turns public source, package, vulnerability, and supply-chain signals into score pages, trust badges, monitoring, and API workflows teams can use before unknown tools reach an agent.

Scan a server Browse scored MCP servers Run a Safety Lab

Recently Verified As of 2026-06-04 UTC · how we score

Verified cloudflare/mcp-server-cloudflare 7.80 Skills Mode Verified moeru-ai/airi 7.74 Skills Mode Verified Azure/containerization-assist 7.64 Skills Mode

Verified means the repo meets our trust criteria (composite ≥ 7.0, dimension floors, no disqualifiers). Maintainers can claim a gold Verified badge on their score page.

1,184 malicious skills found in ClawHavoc 36.82% of skills had at least one security flaw 15 trust signals scored

Maintainer? See Verified repos or embed a live trust badge.

Try: modelcontextprotocol/servers · npm:@anthropic-ai/sdk · vercel/ai · https://smithery.ai/server/neon

API Key Settings

Remember on this device

No API key — free tier (10 scans/day)

Get an API key: Developer Pro $19/mo or Developer Pro $149/yr

1,220 Scored as of 2026-05-10

5 Registries

15 Trust Signals

4 Dimensions

Why this matters

OX Security submitted a benign proof-of-concept malicious MCP server to 11 public registries. Nine — including LobeHub and Cursor Directory — published it with no security review. Only GitHub rejected it.

Source: OX Security, April 2026

Trust Tiers

Verified

Active maintenance, strong docs, real adoption, secure. Build on this with confidence.

Established

Solid choice with caveats. Check the details before depending on it.

New

Promising but unproven. Use with awareness.

Original Research

What we found scoring the public ecosystem

Reproducible methodology, real GitHub data, no AI hand-waving. Both reports published April 2026.

ClawHub · 200 skills

State of ClawHub Trust

0% declared their security posture

10.5% Verified, 7.5% Blocked. The Solid dimension is the universal weak spot. Top 20 + bottom 10 + transparency analysis across 1.36M GitHub stars.

Read the report →

MCP Registry · 202 servers

State of MCP Security

83% carry a disqualifier flag

58% single-author. 21% no license. Average legitimacy 3.05/10. Zero CVEs. Random sample from 2,703 GitHub-backed servers.

Read the report →

Trail of Bits Is Right About Skill Scanners · SkillSpector vs MCP Skills · Claim Your Verified Badge · State of AI Skill Security · ClawHavoc and the Missing Trust Layer · CVE-Checking AI Skills · Score Without a Repo · How to Check if a Skill is Safe · See all research →

How trust scoring works

4 dimensions. 15 signals. Data from GitHub API, npm registry, and OpenSSF Scorecard.

Alive Is it maintained?

Commit recency Release cadence Issue responsiveness

Legit Who made it?

Author credibility Community adoption Contributor diversity Download adoption

Solid Is it secure?

Security posture Dependency health Tool safety Supply chain safety

Usable Can I use it?

README quality Spec compliance License clarity

Skills Mode

MCP servers and AI skills get 2 extra signals and heavier security weight. The safety scanner checks source code directly.

Prompt injection Shell execution Credential access Network exfiltration Obfuscated payloads

Patterns from ClawHavoc and ToxicSkills

What we check — and what we don't

Static analysis

Source code pattern matching across 20 files
GitHub metadata: commits, issues, contributors, releases
OpenSSF Scorecard security posture
Dependency health and supply chain signals
Spec compliance and documentation quality

Not yet covered

Runtime behavior monitoring (sandbox execution)
Multi-step agent chain context leaks
Dynamic payloads fetched after install
Tool call audit logging and policy enforcement

Trust scoring is a signal, not a verdict. A high score means strong static indicators across all dimensions — but no automated tool catches everything. Runtime observability and tool call auditing are on our roadmap.

Trust infrastructure pricing

Free scanning stays. Paid plans support monitoring, trust badges, and team/API workflows.

Free

forever

Public MCP directory
Public score pages
Live trust badges
10 scans/day

Single Report

one report

All 15 signal scores
Safety scan findings
Vulnerability intel
Shareable report URL

For active developers

Developer Pro

$19/mo

or $149/yr

Full 15-signal reports
Batch API + monitoring
1000 agent calls/day
Trending trust API

Builder Pro

$29/mo

or $249/yr

Monitored gold trust badge
Public certified listing
Recurring recertification
Priority support

Team

$99/mo

security workflows

Shared install reviews
Org repo monitoring
Team API workflows
Security review support

Enterprise

Custom

procurement + compliance

Custom limits and workflows
Security and procurement help
Private trust workflows
Custom reporting

Contact sales

Score from your IDE

Check trust scores without leaving Claude Code, Cursor, or any MCP client. Install in one command.

claude mcp add mcpskills -- npx @mcpskillsio/server

{
  "mcpServers": {
    "mcpskills": {
      "command": "npx",
      "args": ["@mcpskillsio/server"]
    }
  }
}

{
  "mcpServers": {
    "mcpskills": {
      "command": "npx",
      "args": ["@mcpskillsio/server"]
    }
  }
}

check_trust_score

"Score vercel/ai"

Trust tier, composite score, and 4 dimension breakdown for any repo, npm package, or registry URL.

scan_safety

"Is this MCP safe?"

5 safety checks for prompt injection, credential theft, shell execution, and more.

auto_gate

"Should I install this?"

Go/no-go decision with reasoning. Certified repos get instant approval.

batch_check

"Check these 5 deps"

Score up to 5 repos or packages in one call. Great for vetting a stack.

list_packages

"Show safe skill stacks"

Curated, pre-scored skill packages organized by use case.

@mcpskillsio/server on npm

For Developers & Agents

Build trust verification into your toolchain. Accepts GitHub repos, npm packages, Smithery URLs, and more. Agent-optimized API with go/no-go decisions.

Agent Response (Free)

curl -X POST https://mcpskills.io/.netlify/functions/score \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d '{"repo":"npm:@anthropic-ai/sdk"}'

{
  "safe": true,
  "tier": "verified",
  "score": 8.2,
  "recommendation": "install",
  "flags": [],
  "reasoning": "15 signals, no disqualifiers"
}

Paid Response (API Key)

curl -X POST https://mcpskills.io/.netlify/functions/score \
  -H "Content-Type: application/json" \
  -H "X-API-Key: msk_your_key_here" \
  -d '{"repo":"owner/repo"}'

// Also accepts: npm:@scope/package,
// Smithery URLs, OpenClaw URLs.
// Returns: Full 15-signal breakdown,
// safety findings, recommendations.

Free 10 scans/day · compact response

Single Report · $2 One full 15-signal report

Developer Pro · $19/mo or $149/yr Batch API · monitoring · 1000 agent calls/day