Should you installthat MCP server at all?
A server can ship clean for fifteen versions, then add one line that exfiltrates your data — or expose an auto-approve that bypasses the consent prompt. Scanning the current version won't catch the next one. Grade an MCP server or agent skill on six trust signals before you connect it.
Not a code scanner or security audit. This grades an artifact from your own marks — it never executes or inspects code, detects no malware, and issues no clearance. It is a decision aid, not a guarantee a server is safe. Validate high-stakes installs with your security team.
The clean server and the poisoned one look identical at install.
the real shape of a supply-chain compromise: many trustworthy releases, then a single update that exfiltrates.
share of audited agent skills found with an exploitable flaw in recent research — the marketplace is not pre-vetted.
loose credential handling plus silent auto-approve are what turn an install into a breach. Either alone is survivable; together they're fatal.
You can't scan your way out of a future update. What you can do is decide, before you install, whether an artifact clears a trust bar — and default to not installing anything whose credential handling and approval behavior you can't confirm. This Gate makes that decision explicit and repeatable.
Mark six signals. Watch the gate block a 75/100 server.
Mark each trust signal, then watch the verdict. The verdict is the weakest signal — and the gate can override a high score.
Gate tripped: neither credential handling nor approval behavior is fully in place, so a malicious update could reach your secrets with no explicit approval. DO NOT INSTALL regardless of score — bring either signal to Trusted and it releases.
Fix first: Credential handling.
Grades the artifact, never people. Not a code scanner or malware detector. Runs offline in the workbook and engine.
A runnable engine, a workbook that reproduces it, and two playbooks.
The verdict comes three ways — Python engine, Excel workbook, and on-page demo, byte-for-byte identical. Here is the engine's real output on the five-artifact sample:
==================================================================
MCP SERVER & SKILL TRUST GATE
Grades the artifact before you install it. Not a code scanner.
==================================================================
SERVER / SKILL: postmark-style email MCP
Verdict: DO NOT INSTALL (context score 75/100)
>> GATE: neither credential handling nor approval behavior is
fully in place — a malicious update could reach secrets with
no explicit approval. DO NOT INSTALL regardless of score.
Fix first: Credential handling (no plaintext secrets)
Trust signals:
[2] TRUSTED Publisher provenance & verification
[1] REVIEW Version & change-history review
[2] TRUSTED Declared scope matches actual scope
[1] REVIEW Credential handling (no plaintext secrets)
[1] REVIEW Update & approval behavior (no silent auto-approve)
[2] TRUSTED Sandbox / egress containment
SERVER / SKILL: unverified marketplace skill
Verdict: DO NOT INSTALL (context score 41/100)
>> GATE: neither credential handling nor approval behavior is
fully in place — a malicious update could reach secrets with
no explicit approval. DO NOT INSTALL regardless of score.
Fix first: Version & change-history review
Trust signals:
[1] REVIEW Publisher provenance & verification
[0] FAIL Version & change-history review
[1] REVIEW Declared scope matches actual scope
[1] REVIEW Credential handling (no plaintext secrets)
[1] REVIEW Update & approval behavior (no silent auto-approve)
[1] REVIEW Sandbox / egress containment
SERVER / SKILL: internal RAG MCP (vault-backed)
Verdict: REVIEW (context score 93/100)
Fix first: Update & approval behavior (no silent auto-approve)
Trust signals:
[2] TRUSTED Publisher provenance & verification
[2] TRUSTED Version & change-history review
[2] TRUSTED Declared scope matches actual scope
[2] TRUSTED Credential handling (no plaintext secrets)
[1] REVIEW Update & approval behavior (no silent auto-approve)
[2] TRUSTED Sandbox / egress containment
SERVER / SKILL: community calendar MCP
Verdict: REVIEW (context score 85/100)
Fix first: Declared scope matches actual scope
Trust signals:
[2] TRUSTED Publisher provenance & verification
[2] TRUSTED Version & change-history review
[1] REVIEW Declared scope matches actual scope
[2] TRUSTED Credential handling (no plaintext secrets)
[2] TRUSTED Update & approval behavior (no silent auto-approve)
[1] REVIEW Sandbox / egress containment
SERVER / SKILL: official first-party connector
Verdict: TRUSTED (context score 100/100)
Trust signals:
[2] TRUSTED Publisher provenance & verification
[2] TRUSTED Version & change-history review
[2] TRUSTED Declared scope matches actual scope
[2] TRUSTED Credential handling (no plaintext secrets)
[2] TRUSTED Update & approval behavior (no silent auto-approve)
[2] TRUSTED Sandbox / egress containment
------------------------------------------------------------------
REGISTRY: EXPOSED (2 of 5 blocked, exposure rate 40%)
Weakest to vet first: unverified marketplace skill
------------------------------------------------------------------A verifiable publisher with a real track record — not an anonymous account uploaded last week.
Visible, reviewed history — so the clean-then-poisoned update doesn't slip past on auto-latest.
Least privilege: the tools, files, and network access it asks for match the job and nothing more.
Secrets from a vault at run time — never plaintext keys in config, logs, or prompt context.
An explicit human approval for sensitive actions — no auto-approve-on-launch, no consent-prompt bypass.
Confined and revocable, with constrained outbound access — so a misbehaving server can't exfiltrate freely.
Weakest link wins. The gate does distinct work. Artifacts, not people.
Trust is a chain. The verdict is the lowest-marked signal, never the flattering average — because one weak link is how a clean server becomes a breach. The context score is shown for context only.
If neither credential handling nor approval behavior is fully in place, the artifact is DO NOT INSTALL even at 75/100 — together they're what let a malicious update reach secrets unapproved. Clear either one and it releases. No average can do that work.
Every verdict points to a signal to verify or harden, never a judgment of the publisher. The honest outcome is sometimes 'leave it uninstalled' — and that's the Gate working, not failing.
A pre-install trust decision, not a scanner.
- A deterministic, offline gate that grades an MCP server or skill from your own marks, before install.
- A repeatable install / don't-install decision with a named signal to fix first.
- A front-door check for anyone connecting third-party agent tooling to real data.
- Not a code scanner, malware detector, or penetration test — it never executes or inspects code.
- Not the Access Auditor (post-connect) or the Builder Kit (build-your-own) — this is the pre-install gate.
- Not a clearance or a guarantee a server is safe, and not legal advice.
Not a code scanner or security audit. This grades an artifact from your own marks — it never executes or inspects code, detects no malware, and issues no clearance. It is a decision aid, not a guarantee a server is safe. Validate high-stakes installs with your security team.
Anyone one click away from connecting a server to real data.
- Founders & builders wiring MCP servers into agents that touch customer data.
- IT & security leads who need a repeatable approval baseline for agent tooling.
- Ops & RevOps standardizing which connectors a team is allowed to install.
- Agencies & MSPs vetting tooling before deploying it into a client's stack.
- Platform teams writing an allowlist policy for marketplace skills.
- Anyone who has read about a poisoned MCP package and wants a gate, not a hunch.
Gate the install, audit the access, cap the spend.
Already connected something? Audit what each connector can actually read, write, and reach.
ViewGrade an agent against the controls it needs before it touches real users or live systems.
ViewCatch the missing hard cutoff before an agent or API quietly runs your bill off a cliff.
ViewThe honest answers.
Decide before you connect,
not after the breach.
Grade every server and skill, fix the named signal first, and never let an unvetted artifact reach your data on a hunch. One purchase, lifetime access, 12 months of updates. $79, once.
Not a code scanner or security audit. This grades an artifact from your own marks — it never executes or inspects code, detects no malware, and issues no clearance. It is a decision aid, not a guarantee a server is safe. Validate high-stakes installs with your security team.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai