Agent supply chain · trust gate

Should you installthat MCP server at all?

A server can ship clean for fifteen versions, then add one line that exfiltrates your data — or expose an auto-approve that bypasses the consent prompt. Scanning the current version won't catch the next one. Grade an MCP server or agent skill on six trust signals before you connect it.

Get the Gate — $79one-time · instant download · yours to keep

Not a code scanner or security audit. This grades an artifact from your own marks — it never executes or inspects code, detects no malware, and issues no clearance. It is a decision aid, not a guarantee a server is safe. Validate high-stakes installs with your security team.

Five deliverables · runnable
Runnable Python engine
stdlib
Trust workbook
.xlsx
Vetting Playbook
.docx
Trust-Hardening Runbook
.docx
5-artifact worked sample
.csv
Works alongside
Connector Access Auditor · Go-Live Gate · Spend Runaway Gate
01.The Problem

The clean server and the poisoned one look identical at install.

15 clean → 1 bad

the real shape of a supply-chain compromise: many trustworthy releases, then a single update that exfiltrates.

1 in 3

share of audited agent skills found with an exploitable flaw in recent research — the marketplace is not pre-vetted.

2 signals

loose credential handling plus silent auto-approve are what turn an install into a breach. Either alone is survivable; together they're fatal.

You can't scan your way out of a future update. What you can do is decide, before you install, whether an artifact clears a trust bar — and default to not installing anything whose credential handling and approval behavior you can't confirm. This Gate makes that decision explicit and repeatable.

02.See It Work

Mark six signals. Watch the gate block a 75/100 server.

Try it — postmark-style email MCP

Mark each trust signal, then watch the verdict. The verdict is the weakest signal — and the gate can override a high score.

Publisher provenance & verification
Version & change-history review
Declared scope matches actual scope
Credential handling (no plaintext secrets)
Update & approval behavior (no silent auto-approve)
Sandbox / egress containment
DO NOT INSTALLcontext 75/100

Gate tripped: neither credential handling nor approval behavior is fully in place, so a malicious update could reach your secrets with no explicit approval. DO NOT INSTALL regardless of score — bring either signal to Trusted and it releases.

Fix first: Credential handling.

Grades the artifact, never people. Not a code scanner or malware detector. Runs offline in the workbook and engine.

03.What's Inside

A runnable engine, a workbook that reproduces it, and two playbooks.

The verdict comes three ways — Python engine, Excel workbook, and on-page demo, byte-for-byte identical. Here is the engine's real output on the five-artifact sample:

==================================================================
MCP SERVER & SKILL TRUST GATE
Grades the artifact before you install it. Not a code scanner.
==================================================================

  SERVER / SKILL: postmark-style email MCP
  Verdict: DO NOT INSTALL   (context score 75/100)
  >> GATE: neither credential handling nor approval behavior is
     fully in place — a malicious update could reach secrets with
     no explicit approval. DO NOT INSTALL regardless of score.
  Fix first: Credential handling (no plaintext secrets)
  Trust signals:
    [2] TRUSTED  Publisher provenance & verification
    [1] REVIEW   Version & change-history review
    [2] TRUSTED  Declared scope matches actual scope
    [1] REVIEW   Credential handling (no plaintext secrets)
    [1] REVIEW   Update & approval behavior (no silent auto-approve)
    [2] TRUSTED  Sandbox / egress containment

  SERVER / SKILL: unverified marketplace skill
  Verdict: DO NOT INSTALL   (context score 41/100)
  >> GATE: neither credential handling nor approval behavior is
     fully in place — a malicious update could reach secrets with
     no explicit approval. DO NOT INSTALL regardless of score.
  Fix first: Version & change-history review
  Trust signals:
    [1] REVIEW   Publisher provenance & verification
    [0] FAIL     Version & change-history review
    [1] REVIEW   Declared scope matches actual scope
    [1] REVIEW   Credential handling (no plaintext secrets)
    [1] REVIEW   Update & approval behavior (no silent auto-approve)
    [1] REVIEW   Sandbox / egress containment

  SERVER / SKILL: internal RAG MCP (vault-backed)
  Verdict: REVIEW   (context score 93/100)
  Fix first: Update & approval behavior (no silent auto-approve)
  Trust signals:
    [2] TRUSTED  Publisher provenance & verification
    [2] TRUSTED  Version & change-history review
    [2] TRUSTED  Declared scope matches actual scope
    [2] TRUSTED  Credential handling (no plaintext secrets)
    [1] REVIEW   Update & approval behavior (no silent auto-approve)
    [2] TRUSTED  Sandbox / egress containment

  SERVER / SKILL: community calendar MCP
  Verdict: REVIEW   (context score 85/100)
  Fix first: Declared scope matches actual scope
  Trust signals:
    [2] TRUSTED  Publisher provenance & verification
    [2] TRUSTED  Version & change-history review
    [1] REVIEW   Declared scope matches actual scope
    [2] TRUSTED  Credential handling (no plaintext secrets)
    [2] TRUSTED  Update & approval behavior (no silent auto-approve)
    [1] REVIEW   Sandbox / egress containment

  SERVER / SKILL: official first-party connector
  Verdict: TRUSTED   (context score 100/100)
  Trust signals:
    [2] TRUSTED  Publisher provenance & verification
    [2] TRUSTED  Version & change-history review
    [2] TRUSTED  Declared scope matches actual scope
    [2] TRUSTED  Credential handling (no plaintext secrets)
    [2] TRUSTED  Update & approval behavior (no silent auto-approve)
    [2] TRUSTED  Sandbox / egress containment

------------------------------------------------------------------
  REGISTRY: EXPOSED   (2 of 5 blocked, exposure rate 40%)
  Weakest to vet first: unverified marketplace skill
------------------------------------------------------------------
Publisher provenance

A verifiable publisher with a real track record — not an anonymous account uploaded last week.

Version & change history

Visible, reviewed history — so the clean-then-poisoned update doesn't slip past on auto-latest.

Declared vs actual scope

Least privilege: the tools, files, and network access it asks for match the job and nothing more.

Credential handling

Secrets from a vault at run time — never plaintext keys in config, logs, or prompt context.

Update / approval behavior

An explicit human approval for sensitive actions — no auto-approve-on-launch, no consent-prompt bypass.

Sandbox / egress containment

Confined and revocable, with constrained outbound access — so a misbehaving server can't exfiltrate freely.

04.The Standard

Weakest link wins. The gate does distinct work. Artifacts, not people.

The weakest signal is the verdict

Trust is a chain. The verdict is the lowest-marked signal, never the flattering average — because one weak link is how a clean server becomes a breach. The context score is shown for context only.

The gate overrides the score

If neither credential handling nor approval behavior is fully in place, the artifact is DO NOT INSTALL even at 75/100 — together they're what let a malicious update reach secrets unapproved. Clear either one and it releases. No average can do that work.

It grades the artifact, not people

Every verdict points to a signal to verify or harden, never a judgment of the publisher. The honest outcome is sometimes 'leave it uninstalled' — and that's the Gate working, not failing.

05.What It Is — And Isn't

A pre-install trust decision, not a scanner.

What it is
  • A deterministic, offline gate that grades an MCP server or skill from your own marks, before install.
  • A repeatable install / don't-install decision with a named signal to fix first.
  • A front-door check for anyone connecting third-party agent tooling to real data.
What it isn't
  • Not a code scanner, malware detector, or penetration test — it never executes or inspects code.
  • Not the Access Auditor (post-connect) or the Builder Kit (build-your-own) — this is the pre-install gate.
  • Not a clearance or a guarantee a server is safe, and not legal advice.

Not a code scanner or security audit. This grades an artifact from your own marks — it never executes or inspects code, detects no malware, and issues no clearance. It is a decision aid, not a guarantee a server is safe. Validate high-stakes installs with your security team.

06.Who It's For

Anyone one click away from connecting a server to real data.

  • Founders & builders wiring MCP servers into agents that touch customer data.
  • IT & security leads who need a repeatable approval baseline for agent tooling.
  • Ops & RevOps standardizing which connectors a team is allowed to install.
  • Agencies & MSPs vetting tooling before deploying it into a client's stack.
  • Platform teams writing an allowlist policy for marketplace skills.
  • Anyone who has read about a poisoned MCP package and wants a gate, not a hunch.
08.Common Questions

The honest answers.

No. It is not a code scanner, a malware detector, or a penetration test, and it never executes or inspects the server. Scanning the current version tells you little about the next one — the supply-chain pattern is a server that ships clean for many releases and then adds one exfiltration line. This Gate turns your own answers about six trust signals into a repeatable install / don't-install decision you make before connecting anything.

Decide before you connect,
not after the breach.

Grade every server and skill, fix the named signal first, and never let an unvetted artifact reach your data on a hunch. One purchase, lifetime access, 12 months of updates. $79, once.

Not a code scanner or security audit. This grades an artifact from your own marks — it never executes or inspects code, detects no malware, and issues no clearance. It is a decision aid, not a guarantee a server is safe. Validate high-stakes installs with your security team.

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai