Score any AI skill, MCP server, or npm package from your agent, CI pipeline, or application. One POST request returns a go/no-go decision, trust tier, and safety flags — no account required to start.
Every request is a single POST with a repo identifier. The API accepts owner/repo, GitHub URLs, npm packages, Smithery URLs, and OpenClaw URLs — it resolves all of them to a unified trust score.
curl -X POST https://mcpskills.io/.netlify/functions/score \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ -d '{"repo":"npm:@anthropic-ai/sdk"}'
{
"safe": true,
"tier": "verified",
"score": 8.4,
"recommendation": "install",
"certified": false,
"flags": [],
"reasoning": "15 signals, no disqualifiers, AI skill detected, no safety findings",
"fullReportAvailable": true
}
safe is your go/no-go boolean. recommendation is one of install, caution, avoid, or blocked. flags surfaces disqualifiers and low-dimension warnings for anything that needs a human glance.
Unauthenticated requests get the free agent response. Authenticated requests unlock the full 15-signal breakdown, safety findings, recommendations, and raise your rate limit.
X-API-Key: msk_{32-hex-char-key}
Accept: application/json or X-API-Key (no key) → agent free response (go/no-go, flags)X-API-Key → full paid response (all 15 signals, safety findings, recommendations)Keys are delivered by email immediately after purchase. Lose your key? Email hello@mcpskills.io with your order ID.
Everything runs on a single base URL. No SDK required — it's HTTP + JSON.
{ "repo": "owner/repo" } or any supported format. Returns tier, composite score, recommendation, and safety flags.{ "action": "watch|unwatch|list", "repo": "owner/repo", "email": "you@example.com" }. Daily scan alerts fire on score delta ≥ 0.3 or tier change.Same endpoint, three response shapes. The API picks the right one based on your headers and auth status.
{
"safe": true,
"tier": "verified",
"score": 8.4,
"recommendation": "install",
"certified": false,
"flags": [],
"reasoning": "15 signals..."
}
{
"repo": "owner/repo",
"composite": 8.4,
"tier": "verified",
"dimensions": { ... },
"signals": { ...15 signals... },
"safety": { "findings": [] },
"recommendations": [ ... ]
}
Agent mode is optimized for tool-calling loops: compact, deterministic, easy to branch on. Paid mode is optimized for CI pipelines and dashboards that need the full picture.
All limits are per-IP for anonymous traffic and per-key for authenticated traffic. Exceeding a limit returns HTTP 429 with a resetAt timestamp.
| Tier | Rate limit | Response mode |
|---|---|---|
| Human free | 10 scans / day | Tier + dimensions |
| Agent free | 10 scans / day | Go/no-go + flags |
| Single Report | 1 report ($2) | Full 15-signal report |
| Developer Pro | $19/mo or $149/yr | Full report + batch + monitoring |
| Team | $99/mo | Team API workflows + org monitoring |
| Badge SVG | 100 / hour per IP | Cached SVG |
Start free. Upgrade when you need the full report, batch checking, or monitoring. Keys are delivered by email seconds after checkout.
The MCP server wraps the API as 9 tools your agent can call directly. One install, then your agent can check any skill before installing it.
claude mcp add mcpskills -- npx @mcpskillsio/server
claude mcp add mcpskills -- npx @mcpskillsio/server \ --env MCPSKILLS_API_KEY=msk_your_key
check_trust_score — Score any repo, package, or registry URLauto_gate — Boolean "should I install this?" with reasonscan_safety — Safety-only scan (prompt injection, shell exec, credentials, exfiltration, obfuscation)batch_check — Check up to 5 repos in one call (Developer Pro or Team)build_stack — Stack recommendations from live trust datalist_packages — Browse curated skill packageswatch_repo — Start monitoring a repocheck_watched — Re-scan all watched reposget_badge — SVG badge URL for READMEsKeys are emailed immediately after LemonSqueezy confirms payment. Delivery typically takes under a minute. If it doesn't arrive, check spam, then email hello@mcpskills.io with your order ID.
Single Report credits don't expire. Developer Pro subscriptions reset their daily 1000-call cap at 00:00 UTC. Free scans reset daily at 00:00 UTC per-IP.
Owner/repo pairs, full GitHub URLs, npm packages (npm:@scope/package or bare package names), Smithery URLs, OpenClaw URLs, mcp.run URLs, and npmjs.com URLs. The resolver maps all of them to a unified score.
You get a partial score — 7 signals derived from npm metadata only. It's clearly labeled with limited: true and capped at the Established tier. Partial scores never return safe: true because there's no source code to analyze.
Scan requests are logged for rate-limiting only. We never share or sell scan history. Monitored repos are stored against your email in Netlify Blobs — deletable anytime via the monitor endpoint.
No — the Terms of Service prohibit reselling or redistributing scan results as a standalone service. You can absolutely use results inside your own product, agent, or dashboard.
Yes — if you haven't used your credits, email within 14 days of purchase and we'll refund. Used credits are non-refundable.
Every signal, dimension, tier threshold, and safety pattern is documented on the methodology page. The exact weights and formulas are deliberately not published to prevent gaming — but the what and why are fully transparent.