--- name: pre-install-trust-gate version: 1.0.0 description: Trust-check any AI skill, MCP server, plugin, or npm package BEFORE installing, adding, or enabling it. Run one trust gate, refuse anything blocked (no license, critical CVE, token exfiltration, unsafe source), and tell the user why. Use whenever you are about to install, add, enable, or pull in a third-party skill / MCP server / package. homepage: https://mcpskills.io/gate license: CC-BY-4.0 author: MCP Skills (Rise Above Partners) security: network: Outbound HTTPS GET to https://mcpskills.io/api/gate/* only — no other hosts. permissions: Read-only. Sends only the public identifier being checked (owner/repo, npm package, or registry URL) — never source code, environment variables, or file contents. credentials: Optional MCPSKILLS_API_KEY, sent as the X-API-Key header to raise the rate limit. No credential storage, no persistence. shell: None beyond the single HTTPS GET. exfiltration: None. allowed-tools: - name: web fetch / http GET / curl description: Perform the single GET request to the gate endpoint. credentials: - name: MCPSKILLS_API_KEY required: false description: Optional. Raises the free 10-checks/day-per-IP limit. Sent as X-API-Key. Get one at https://mcpskills.io/api. format: msk_ followed by 32 hex characters requires: - An HTTP-capable tool (web fetch, curl, or equivalent) in the host agent. --- # Pre-Install Trust Gate A safety reflex for agents: **never install third-party code blind.** Before you install, add, enable, or pull in any AI skill, MCP server, plugin, or npm package, ask the trust gate one question — *should I install this?* — and act on the answer. This skill needs no runtime, no SDK, and no account. It is one HTTPS GET against the public MCP Skills gate, which scores the target across 15 trust signals (publisher credibility, maintenance, security posture, dependency health, source-code safety, supply-chain risk, and OSV/KEV/EPSS vulnerability intelligence) and returns a boolean. ## When to run the gate Run it **before** any of these actions, on the exact thing being installed: - `claude mcp add …`, `npx `, `npm install `, `pip install …`, `uvx …` - Installing or enabling a skill, plugin, subagent, or extension from a registry (ClawHub, agentskills.io, skills.sh, Smithery, the MCP Registry, GitHub) - Adding a new MCP server to a config file - Any time a task step wants to pull in a third-party dependency the user did not already vet If the user explicitly says they already trust it and to skip the check, honor that — this is a gate, not a wall. ## How to run it Make one GET request. The input can be `owner/repo`, an `npm:package` name, or a registry URL. ```bash curl -s "https://mcpskills.io/api/gate//" # npm package: curl -s "https://mcpskills.io/api/gate/npm:" # higher daily limit with a key: curl -s -H "X-API-Key: $MCPSKILLS_API_KEY" "https://mcpskills.io/api/gate//" ``` The response is JSON: ```json { "proceed": true, "reason": "Established: composite 6.8, no disqualifiers", "tier": "established", "composite": 6.8, "verified": false, "page_url": "https://mcpskills.io/score/owner/repo" } ``` > Already running the MCP Skills MCP server? Call the `auto_gate` tool instead of curl — same verdict, no HTTP plumbing. ## How to act on the answer | Result | What you do | |--------|-------------| | `proceed: true` | Continue the install. Tell the user the tier and score in one line (e.g. "checks out — Established 6.8, no disqualifiers"). | | `proceed: false` | **Stop.** Do not install. Tell the user the `reason` and link the `page_url`. Ask for an explicit "install anyway" before doing anything. | | HTTP 429 (rate limited) | The trust check could not run (daily limit hit). Tell the user, link `https://mcpskills.io/api` for a key, and ask for explicit confirmation before installing **un-checked**. Do not silently proceed. | | HTTP 404 / unresolvable | The target could not be found or scored. Treat as unverified — tell the user it could not be checked and ask before proceeding. | | Error / timeout / 5xx | Trust check failed to complete. Do **not** treat "no answer" as "safe." Tell the user it could not be verified and ask before proceeding. | The rule in one sentence: **a clear green means go; anything else means surface it to the user and get explicit consent before installing un-vetted code.** Fail to the human, never silently fail open. ## Why this matters Most install flows run arbitrary third-party code with full local permissions and no review. Published incidents make the case: the ClawHavoc campaign shipped 1,184 malicious AI skills (7,700 installs before takedown); `mcp-remote` carried a CVSS 9.6 RCE (CVE-2025-6514) across 437,000+ downloads before it was patched; and when OX Security submitted a benign proof-of-concept malicious MCP server to 11 registries, 9 accepted it with no security review. A five-second pre-install gate is the cheapest control that catches the obvious cases — unlicensed code you can't legally depend on, critical unpatched CVEs, token exfiltration in CI, and known-malicious packages. ## What "proceed: false" means The gate returns `proceed: false` when the target is **Blocked** or **New**, or carries a hard disqualifier: - **NO_LICENSE** — published with no license = "all rights reserved" by default = legally unsafe to build on - **CRITICAL_CVE** — an unpatched critical vulnerability, a CISA KEV-listed CVE, or a known-malicious (OSV `MAL-*`) advisory on the installable version - **SUPPLY_CHAIN_RISK** — a CI workflow that pipes a secret token into a network command (token exfiltration) - **SAFETY_BLOCK** — prompt injection, credential access, shell execution, or obfuscated payloads found in source - **ARCHIVED** — the repo is archived and unmaintained It returns `proceed: true` for **Verified** (composite ≥ 7.0, clears every dimension threshold, zero disqualifiers) and **Established** (composite ≥ 4.5, sufficient signal coverage, no hard disqualifier). ## Limits, honestly This is static, pre-install evidence — publisher, source, dependencies, vulnerabilities, supply chain. It does **not** observe runtime behavior, multi-step agent-chain context leaks, or dynamic payloads fetched after install. A green gate lowers risk; it is not a guarantee. Pair it with the controls a scanner can't replace: sandboxing, manifest hashing, and version pinning. Full methodology and every score: https://mcpskills.io — verdicts are public and reproducible.