Score Any MCP Server — Even Without a GitHub Repo

By Michael Browne · April 2, 2026 · 4 min read

Until now, scoring an AI skill on MCP Skills meant finding the GitHub repo. You needed the owner/repo URL. That was fine when most MCP servers lived on GitHub, but the ecosystem has fragmented. Skills are published on npm, listed on Smithery, registered on OpenClaw, and distributed through half a dozen other channels.

Now you can paste any of them directly into the scanner.

What Changed

MCP Skills now accepts these input formats — on the website, through the API, and in the MCP server tools:

FormatExample
GitHub repovercel/ai or https://github.com/vercel/ai
npm packagenpm:@anthropic-ai/sdk or @anthropic-ai/sdk
npm URLhttps://www.npmjs.com/package/zod
Smithery URLhttps://smithery.ai/server/upstash/context7-mcp
OpenClaw skillhttps://openclaw.com/skills/skill-name
Bare package nameexpress

The scanner figures out what you gave it, resolves it to the source repository, and runs the full 14-signal trust analysis. If you paste npm:@anthropic-ai/sdk, it finds the GitHub repo (anthropics/anthropic-sdk-typescript), scores it, and shows you the result — same as if you'd pasted the GitHub URL directly.

What Happens When There's No Source Repo

Some npm packages don't link to a GitHub repository. When that happens, you still get a score — but it's a Limited Score based on registry metadata only.

A limited score uses 7 signals instead of 14:

Limited scores are clearly labeled. They cap out at the "Established" tier — a package can never reach "Verified" without source code analysis. Safety scanning, supply chain checks, and code-level signals all require the actual source.

This is intentional. A limited score is better than no score, but it shouldn't be treated with the same confidence as a full analysis.

How the Resolver Works

When you paste something that isn't an owner/repo, the scanner runs a resolution step:

  1. npm packages — Fetches metadata from the npm registry. Extracts the repository.url field. Falls back to the homepage field if no repo is listed.
  2. Smithery URLs — Queries the Smithery registry API. Extracts the source repo from the server listing.
  3. OpenClaw skills — Looks up the skill listing and extracts the GitHub link. Falls back to npm resolution if no direct link is found.
  4. Bare package names — Auto-detected as npm packages and resolved through the npm registry.

Resolution results are cached for 24 hours. Repeated lookups for the same package don't re-fetch from the registry.

Why This Matters

The MCP ecosystem is fragmenting across registries. Anthropic's Connector Directory, Smithery, OpenClaw, npm, mcp.run — skills are published in different places depending on who built them and when. Developers discover a skill on one platform but need to know the underlying GitHub repo to check if it's safe.

That friction meant some skills never got checked. Now the barrier is gone. Paste whatever you have.

Works Everywhere

Cross-registry input works on the website, through the REST API, and in all 8 MCP server tools. The API accepts the same formats:

curl -X POST https://mcpskills.io/.netlify/functions/score \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d '{"repo":"npm:@anthropic-ai/sdk"}'

From the MCP server inside Claude Code or Cursor:

"Score @anthropic-ai/sdk"
"Is https://smithery.ai/server/upstash/context7-mcp safe?"
"Check these 5 packages: vercel/ai, @anthropic-ai/sdk, zod, hono, drizzle-orm"

Nightly Discovery

The nightly crawl now discovers new skills from 5 sources: the MCP Registry, GitHub topic search, GitHub keyword search, npm registry search, and the Smithery registry API. New packages are scored automatically and added to the growing index.

npm-only packages (those with no linked GitHub repo) get partial scores and are included in the index with the "Limited" label.

Try it now

Paste an npm package, Smithery URL, or anything else. Get a trust score in seconds.

Scan Now — Free