Your agent installs third-party skills, MCP servers, and packages — each one arbitrary code with full local permissions and no review. The trust gate adds one reflex: before it installs anything, it asks should I install this? and refuses anything blocked. One HTTPS GET, no SDK, no account.
Drop one file into your agent's skills directory. For Claude Code (user-scope skills):
mkdir -p ~/.claude/skills/pre-install-trust-gate && \
curl -fsSL https://mcpskills.io/skills/pre-install-trust-gate/SKILL.md \
-o ~/.claude/skills/pre-install-trust-gate/SKILL.mdFor OpenClaw, Hermes, Cursor, or any agent that loads SKILL.md files, fetch the same file into that agent's skills folder. The skill is plain Markdown with standard frontmatter — no runtime, no dependency to install.
Canonical source: /skills/pre-install-trust-gate/SKILL.md (CC BY 4.0).
Before the agent installs, adds, or enables anything third-party, it makes one request — GET /api/gate/<target> — and acts on the boolean:
curl -s "https://mcpskills.io/api/gate/modelcontextprotocol/servers"
# → { "proceed": true, "reason": "Established: composite 6.8, no disqualifiers", "tier": "established", ... }
curl -s "https://mcpskills.io/api/gate/npm:left-pad" # npm package
curl -s -H "X-API-Key: $KEY" "https://mcpskills.io/api/gate/owner/repo" # higher daily limit| Verdict | What the agent does |
|---|---|
| proceed: true | Install proceeds. The agent notes the tier and score in one line. |
| proceed: false | Stops. Surfaces the reason and the score page, asks for an explicit "install anyway." |
| 429 / error | Trust check couldn't complete — fails to the human, never silently installs un-checked. |
The gate returns proceed: true for Verified and Established with no hard disqualifier, and proceed: false for anything Blocked or New — including no license, a critical/KEV CVE, a known-malicious advisory, token exfiltration in CI, or unsafe patterns in source. Same verdict the auto_gate MCP tool returns; the gate is just that primitive on a plain URL.
Live against the same endpoint your agent calls. Free tier is 10 checks/day per IP — an API key raises it.
The trust gate is the rare skill that practices what it checks. Run it through the same engine and it earns the full 2.0 / 2.0 security-transparency bonus (it declares its network, permissions, and credentials in frontmatter) and a clean tool-safety pass — zero injection, exfiltration, or shell findings.
Most install flows run unreviewed third-party code with full local permissions. The published record makes the case:
mcp-remote (CVSS 9.6), across 437,000+ downloads before the patch.A five-second pre-install gate is the cheapest control that catches the obvious cases. It is not a guarantee — it is static, pre-install evidence. Pair it with the controls a scanner can't replace: sandboxing, manifest hashing, version pinning. See how trust scoring works and the State of Hermes Skill Security report.
For agents, by design. The gate is the auto_gate primitive exposed as one cacheable GET so any install flow — human-run or fully autonomous — can ask the question and act on a boolean. No browser, no parsing, no auth required for the free tier.