Original research on AI skill trust

Hermes installs its skills from skills.sh, the cross-agent directory. I scored the 118 most-installed skills you can install into Hermes today — 11.7M combined installs. 15% Verified, 20% Blocked. Vercel's own agent-skills repo (1.4M installs) is Blocked for NO_LICENSE, alongside Figma, Clerk, LangChain, Firecrawl, Convex, and Apify — a real legal risk, not a formality. And 0% declare any security posture in frontmatter, the same gap the ClawHub report found. Full dataset published CC BY 4.0.

The largest cross-registry MCP trust dataset to date — 2,233 servers, skills, and packages from npm, the MCP Registry, ClawHub, and GitHub. The shape is the story: no project clears 9/10, two-thirds cluster in an undifferentiated 5–7 band, and purpose-built MCP skills verify at 8.2% versus 24.8% for general SDKs — and are the only tier getting blocked. Full dataset published CC BY 4.0.

Trail of Bits bypassed five AI skill scanners across ClawHub, Cisco, and skills.sh using simple techniques. Their conclusion is structurally correct: no single content scan can reliably catch a malicious skill. This piece explains why that validates the trust-layer model rather than refuting it, maps all four attacks against our own scanner honestly, and shows what actually holds when scanning fails.

SkillSpector is a deep open-source scanner for AI agent skills. MCP Skills is a broader trust layer for MCP servers, AI skills, and packages. This piece explains how scanner findings should feed the Solid dimension as calibrated evidence without replacing maintenance, publisher, adoption, license, and usability signals.

Verified is the top trust tier: composite ≥ 7.0, dimension floors across all four areas, and no disqualifiers. About 12% of the ~2,000 scored projects clear it. Maintainers claim in 30 seconds from their score page — one click, no fee, no upsell.

The public /servers directory turns MCPSkills scoring into a pre-install surface: browse 1,220 scored repos and packages, trust tiers, modes, last-scored dates, and public score pages before running unknown MCP code.

Eight checks to run before you install a local MCP server. The manual audit, the things mcpskills automates (with v3.2.0's new public-binding and lifecycle-script checks), and the three controls — sandboxing, manifest hashing, version pinning — that no scanner replaces. Includes a self-audit of @mcpskillsio/server: 4 PASS, 1 INFO, 2 REVIEW, 1 FAIL → PATCHED in v2.4.2 the same day.

Random sample of 202 servers from the 2,703 GitHub-backed entries in the official MCP Registry. 58% are single-author with low adoption. 21% have no LICENSE. Average legitimacy: 3.05/10. Zero known CVEs. Top server has 40 stars — trust isn't dominated by popularity.

200 ClawHub skills representing 1.36M GitHub stars scored across 15 signals. 10.5% Verified, 81% Established, 7.5% Blocked. Solid is the universal weak spot. The transparency gap is a coordination failure, not a security failure.

AI skill scanners look for prompt injection and credential exfil. They miss known CVEs sitting in the npm package underneath. The published-vulnerability layer is unwatched in agent-tool ecosystems.

MCP Skills now accepts npm packages, Smithery URLs, and OpenClaw skills — not just GitHub repos. The resolver finds the source, runs the full algorithm, and falls back to a partial 7-signal score when no source repo exists.

10 popular AI tools and developer libraries scored. The official MCP Servers repo has 80K stars and scored lower than every other tool on the list. Maintenance cadence, security posture, and spec compliance are what separate "popular" from "trustworthy."

Why the AI skill ecosystem needs a multi-dimensional trust layer. VirusTotal scanning alone explicitly cannot assess trust, detect prompt injection, or evaluate code quality.

Practical guide for vetting an AI skill or MCP server before giving it access to your terminal, environment variables, and credentials.