Trust scoring vocabulary

A composite 0–10 number computed across 15 signals grouped into 4 dimensions (Alive, Legit, Solid, Usable). Quantifies the trustworthiness of a GitHub repo, npm package, MCP server, or OpenClaw skill. Deterministic given the same repository state at the same point in time.

The single 0–10 number that summarizes a trust scan. Weighted average across all sufficient signals, with disqualifiers applied as hard caps. Surfaced as the headline number on every score page and in the API response.

Categorical label assigned alongside the composite score. One of four values: Verified, Established, New, or Blocked. Tier is computed from composite score, dimension floors, signal coverage, and disqualifier presence.

Trust tier assigned when composite ≥ 7.0, the Solid dimension ≥ 5.0, and at least 8 sufficient signals are present, with no disqualifiers. The strongest tier — safe to build on with confidence.

Trust tier assigned when composite ≥ 5.0 with sufficient signal coverage but doesn't meet Verified thresholds. A solid choice with caveats — review the dimension breakdown before depending on it.

Trust tier assigned when composite < 5.0, typically due to insufficient signal coverage. Often a young or sparsely-maintained project — promising but unproven. Use with awareness.

Trust tier assigned whenever a hard disqualifier is present. Hard-gates the result regardless of composite score. Indicates a structural issue (no license, archived, safety pattern, supply-chain risk, single-author with low adoption, or a critical/KEV-listed CVE) that cannot be offset by other signals.

One of four trust dimensions. Asks: "Is this project actively maintained?" Combines commit_recency, release_cadence, and issue_responsiveness signals.

One of four trust dimensions. Asks: "Can I trust the people behind this?" Combines author_credibility, community_adoption, contributor_diversity, and download_adoption signals.

One of four trust dimensions. Asks: "Is this secure?" Combines security_posture, dependency_health, tool_safety, supply_chain_safety, and known_vulnerabilities signals. The most heavily weighted dimension in Skills Mode.

One of four trust dimensions. Asks: "Can I actually work with this?" Combines readme_quality, skill_spec_compliance, and license_clarity signals.

Scoring mode that activates automatically when a target is detected as an AI skill or MCP server. Adds the tool_safety and skill_spec_compliance signals, runs 5 safety scans for prompt injection / shell exec / credential exfil / network exfil / obfuscated payloads, and parses SKILL.md YAML frontmatter for security transparency bonuses. Detection is confidence-based: SKILL.md = 3, server.json = 2, MCP/OpenClaw keywords = 1; activates at total ≥ 2.

Default scoring mode for general GitHub repositories without AI skill or MCP server indicators. Uses 13 signals across the 4 dimensions without the AI-skill-specific safety and spec compliance checks.

A 7-signal score used for npm packages that have no resolvable source GitHub repo. Uses npm metadata only (download adoption, maintainer credibility, dependency count, license clarity, README quality, known vulnerabilities, lifecycle script detection). Always labeled limited and capped at the Established tier — partial scores cannot earn Verified.

A signal severe enough to override the composite score and force the Blocked tier. Six disqualifiers exist (listed below).

Repo is marked archived on GitHub. The maintainer has explicitly stopped accepting changes; security patches will not ship.

No LICENSE file or unrecognized SPDX identifier. Legally unsafe to use commercially — without a license, all rights are reserved by default.

Safety scanner detected dangerous patterns in source files: eval/exec on user input, credential exfiltration, network exfil, obfuscated payloads, or known prompt-injection patterns.

CI/CD workflow files contain token exfiltration patterns or PR-target checkout (the GitHub Actions vector that allows third-party PR code to run with secrets). Narrowly scoped — unpinned actions alone do not trigger it.

Project has exactly one contributor AND low community adoption. Bus-factor-of-one risk — if the maintainer disappears, no one is positioned to ship a security patch.

Latest published version has an unpatched critical-severity CVE per OSV.dev, OR any CVE on the CISA KEV catalog (actively exploited in the wild). The KEV path hard-gates regardless of severity rating because exploitation is confirmed.

Skills-Mode-only signal scoring the static safety analysis of a skill's source files. Scans 20 source files for 5 threat pattern categories: prompt injection, shell execution on user input, credential access, network exfiltration, obfuscated payloads. Weighted 0.12 in Skills Mode. Modulated by the security transparency bonus (up to +2) when SKILL.md frontmatter declares a security posture.

Signal scoring CI/CD workflow safety. Inspects GitHub Actions workflows for unpinned third-party actions, token exfiltration patterns, PR-target checkout, and secret echo. Triggers the SUPPLY_CHAIN_RISK disqualifier on the most severe patterns.

Signal scoring OpenSSF Scorecard adoption, branch protection settings, signed releases, and dependency-update tooling presence (Dependabot, Renovate). Reflects whether the maintainer has invested in baseline security hygiene.

Signal scoring transitive dependency hygiene combined with raw dependency count. Blended formula: baseDependencyHealth × 0.5 + depCountScore × 0.5 — high counts of healthy deps still incur a small penalty for surface area.

Signal cross-referencing the currently-installable version of a package against three real-time sources: OSV.dev, CISA KEV, and FIRST.org EPSS. Triggers the CRITICAL_CVE disqualifier on unpatched criticals or KEV-listed CVEs.

OpenClaw-specific concept: when a SKILL.md author declares the skill's security posture in YAML frontmatter (security block, allowed-tools constraint, requires.env declarations), MCP Skills awards up to a +2 bonus to the tool_safety signal. Rewards transparency without penalizing absence — the bonus only applies when fields are populated.

Unified open-source vulnerability database hosted by Google. Combines GHSA, npm advisories, PyPA, Go vulndb, and RustSec into a single queryable source. MCP Skills queries OSV by package + version to determine the current vulnerability state of any scored package. osv.dev

Known Exploited Vulnerabilities catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency. The federal authoritative list of vulnerabilities with confirmed in-the-wild exploitation. Any CVE on KEV hard-gates the affected package's tier to Blocked regardless of severity, because exploitation is no longer theoretical. cisa.gov/known-exploited-vulnerabilities-catalog

Exploit Prediction Scoring System maintained by FIRST.org. A 0–1 probability that a given CVE will be exploited within the next 30 days. MCP Skills uses EPSS to weight non-KEV vulnerabilities — maxEpss ≥ 0.7 caps the known_vulnerabilities signal at 1; maxEpss ≥ 0.3 caps it at 3. first.org/epss

The component that accepts any input format (owner/repo, GitHub URL, npm:@scope/package, Smithery URL, OpenClaw URL, mcp.run URL, npmjs.com URL) and resolves it to the canonical GitHub repository for full scoring. Falls back to npm metadata for partial scoring when no source repo exists. Resolution is cached for 24 hours.

MCP server tool that answers the agent-relevant question "should I install this?" as a boolean (proceed: true/false) plus a reasoning string. Certified Safe repos get instant proceed: true. Other targets get evaluated against tier, dimensions, and disqualifiers in real time.

Badge program for repos meeting four requirements: composite ≥ 7.0, Solid dimension ≥ 5.0, no disqualifiers, and at least 8 sufficient signals. Renders a gold badge variant. Auto-certifies on first qualifying scan; auto-revokes during daily re-scans if the repo no longer meets requirements (with email notification to the maintainer).