@mcpskillsio/server 2.0.0 → 2.1.1

package/README.md

@@ -2,7 +2,7 @@
 
 Trust-score any AI skill or MCP server from inside Claude Code, Cursor, or any MCP client.
 
-12 signals across 4 dimensions with safety scanning for prompt injection, credential theft, and supply chain attacks.
+14 signals across 4 dimensions with safety scanning for prompt injection, credential theft, and supply chain attacks.
 
 ## Install
 
@@ -68,11 +68,43 @@ Browse curated, pre-scored skill packages organized by use case.
 "Show me safe AI skill packages for full-stack development"
 ```
 
+### `get_badge`
+
+Generate an SVG trust badge URL for your README.
+
+```
+"Get a trust badge for my repo anthropics/anthropic-sdk-typescript"
+```
+
+### `watch_repo`
+
+Start monitoring a repo for trust score changes (requires API key).
+
+```
+"Watch modelcontextprotocol/servers for score changes"
+```
+
+### `batch_check`
+
+Score up to 5 repos in a single call (Pro tier).
+
+```
+"Batch check these repos: anthropics/anthropic-sdk-typescript, langchain-ai/langchainjs"
+```
+
+### `auto_gate`
+
+Get a boolean go/no-go decision with reasoning.
+
+```
+"Should I install this MCP server? 21st-dev/magic-mcp"
+```
+
 ## Full Reports
 
 Free tier returns trust tier + dimension scores (same as mcpskills.io free scans).
 
-For full 12-signal reports with detailed safety findings inside your IDE, set your API key:
+For full 14-signal reports with detailed safety findings inside your IDE, set your API key:
 
 ```bash
 export MCPSKILLS_API_KEY=your_key_here
@@ -85,10 +117,10 @@ Get your API key at [mcpskills.io/api](https://mcpskills.io/api).
 The server calls the mcpskills.io trust scoring API, which:
 
 1. Fetches repo data from GitHub API and OpenSSF Scorecard
-2. Scores 12 signals across 4 dimensions (Alive, Legit, Solid, Usable)
-3. Detects AI skills/MCP servers and activates Skills Mode
+2. Scores 14 signals across 4 dimensions (Alive, Legit, Solid, Usable)
+3. Detects AI skills/MCP servers and activates Skills Mode (+2 bonus signals)
 4. Runs 5 safety scans based on ClawHavoc and ToxicSkills attack patterns
-5. Assigns a trust tier: Verified (≥7.5), Established (≥4.5), New, or Blocked
+5. Assigns a trust tier: Verified (>=7.0), Established (>=4.5), New, or Blocked
 
 ## License
 

package/index.js

@@ -10,10 +10,15 @@
  *   - check_trust_score: Score any GitHub repo
  *   - scan_safety: Run safety-only scan for AI skills
  *   - list_packages: Browse curated safe skill packages
+ *   - get_badge: Get trust badge URL for READMEs
+ *   - watch_repo: Monitor a repo for score changes
+ *   - check_watched: Re-scan all watched repos
+ *   - batch_check: Check up to 5 repos in one call (Pro)
+ *   - auto_gate: "Should I install this?" → boolean + reason
  *
- * Free tier returns tier + dimension scores.
- * Full reports (all 12 signals + safety findings) require an API key.
- * Get your key at https://mcpskills.io/api
+ * Free tier returns compact agent response.
+ * Full reports require MCPSKILLS_API_KEY env var.
+ * Get your key at https://mcpskills.io
  */
 
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
@@ -29,7 +34,10 @@ const PACKAGES_URL = "https://mcpskills.io/.netlify/functions/packages";
 // --- API Client ---
 
 async function fetchScore(repo, apiKey) {
-  const headers = { "Content-Type": "application/json" };
+  const headers = {
+    "Content-Type": "application/json",
+    "Accept": "application/json",
+  };
   if (apiKey) headers["X-API-Key"] = apiKey;
 
   const res = await fetch(`${API_BASE}/score`, {
@@ -38,6 +46,16 @@ async function fetchScore(repo, apiKey) {
     body: JSON.stringify({ repo }),
   });
 
+  if (res.status === 429) {
+    const err = await res.json().catch(() => ({}));
+    throw new Error(`Rate limit exceeded. ${err.upgrade || 'Set MCPSKILLS_API_KEY for more scans.'}`);
+  }
+
+  if (res.status === 401 || res.status === 403) {
+    const err = await res.json().catch(() => ({}));
+    throw new Error(err.error || `Auth error: ${res.status}`);
+  }
+
   if (!res.ok) {
     const err = await res.json().catch(() => ({ error: res.statusText }));
     throw new Error(err.error || `API error: ${res.status}`);
@@ -60,11 +78,12 @@ function formatTier(tier) {
 }
 
 function formatDimensions(dims) {
+  if (!dims) return "  (dimensions unavailable)";
   return [
-    `  Alive:  ${dims.alive}/10 (maintained?)`,
-    `  Legit:  ${dims.legit}/10 (credible author?)`,
-    `  Solid:  ${dims.solid}/10 (secure?)`,
-    `  Usable: ${dims.usable}/10 (good docs?)`,
+    `  Alive:  ${dims.alive ?? '?'}/10 (maintained?)`,
+    `  Legit:  ${dims.legit ?? '?'}/10 (credible author?)`,
+    `  Solid:  ${dims.solid ?? '?'}/10 (secure?)`,
+    `  Usable: ${dims.usable ?? '?'}/10 (good docs?)`,
   ].join("\n");
 }
 
@@ -94,39 +113,33 @@ function formatRecommendations(recs) {
   return lines;
 }
 
-function formatFreeResult(data) {
+// --- Agent Response Formatting ---
+
+function formatAgentResponse(data) {
+  // Compact agent response (from free tier API)
+  const rec = data.recommendation || (data.safe ? 'install' : 'caution');
+  const icon = data.safe ? '✅' : data.recommendation === 'blocked' ? '🚫' : '⚠️';
+
   const lines = [
-    `# Trust Score: ${data.repo}`,
-    "",
-    `**Score:** ${data.composite}/10`,
-    `**Tier:** ${formatTier(data.tier)}`,
-    `**Mode:** ${data.mode === "skills" ? "Skills Mode (AI skill detected)" : "Standard Mode"}`,
-    "",
-    `## Dimensions`,
-    formatDimensions(data.dimensions),
-    "",
-    `⭐ ${data.meta.stars.toLocaleString()} stars | 🍴 ${data.meta.forks.toLocaleString()} forks | 📄 ${data.meta.license}`,
+    `${icon} ${data.safe ? 'SAFE to install' : 'CAUTION'} — ${formatTier(data.tier)} (${data.score}/10)`,
+    `Recommendation: ${rec}`,
   ];
 
-  if (data.mode === "skills" && data.skill) {
-    lines.push("", `## Skill Info`);
-    lines.push(`  Type: ${data.skill.type}`);
-    lines.push(`  Safety: ${data.skill.safety?.summary || "Not scanned"}`);
+  if (data.flags?.length > 0) {
+    lines.push(`Flags: ${data.flags.join(', ')}`);
   }
 
-  // Recommendations
-  if (data.recommendations) {
-    lines.push(...formatRecommendations(data.recommendations));
+  if (data.reasoning) {
+    lines.push(`Analysis: ${data.reasoning}`);
   }
 
-  lines.push(
-    "",
-    "---",
-    "🔒 Full report (all signals + safety findings) → https://mcpskills.io",
-    "Set MCPSKILLS_API_KEY for full reports in-context."
-  );
+  if (data.certified) {
+    lines.push('🏅 Certified Safe by MCP Skills');
+  }
 
-  return lines.join("\n");
+  lines.push('', 'Set MCPSKILLS_API_KEY for full 14-signal breakdown.');
+
+  return lines.join('\n');
 }
 
 function formatFullResult(data) {
@@ -161,21 +174,38 @@ function formatFullResult(data) {
     supply_chain_safety: "Supply Chain Safety",
   };
 
-  for (const [key, val] of Object.entries(data.signals)) {
+  for (const [key, val] of Object.entries(data.signals || {})) {
     const label = signalLabels[key] || key;
-    const bar = "█".repeat(Math.round(val)) + "░".repeat(10 - Math.round(val));
-    lines.push(`  ${bar} ${val}/10  ${label}`);
+    const v = typeof val === 'number' && !isNaN(val) ? val : 0;
+    const bar = "█".repeat(Math.round(v)) + "░".repeat(10 - Math.round(v));
+    lines.push(`  ${bar} ${v}/10  ${label}`);
   }
 
   lines.push(
     "",
-    `⭐ ${data.meta.stars.toLocaleString()} stars | 🍴 ${data.meta.forks.toLocaleString()} forks | 📄 ${data.meta.license}`
+    `⭐ ${(data.meta?.stars || 0).toLocaleString()} stars | 🍴 ${(data.meta?.forks || 0).toLocaleString()} forks | 📄 ${data.meta?.license || 'Unknown'}`
   );
 
   if (data.mode === "skills" && data.skill) {
     lines.push("", `## Skill Details`);
     lines.push(`  Type: ${data.skill.type}`);
-    lines.push(`  Indicators: ${data.skill.indicators.join(", ")}`);
+    if (data.skill.indicators) lines.push(`  Indicators: ${data.skill.indicators.join(", ")}`);
+
+    // OpenClaw frontmatter
+    if (data.skill.frontmatter) {
+      lines.push("", `  ### SKILL.md Frontmatter`);
+      const fm = data.skill.frontmatter;
+      if (fm.name) lines.push(`    Name: ${fm.name}`);
+      if (fm.version) lines.push(`    Version: ${fm.version}`);
+      if (fm.description) lines.push(`    Description: ${fm.description}`);
+      if (data.skill.transparency?.bonus > 0) {
+        lines.push(`    🛡️ Transparency bonus: +${data.skill.transparency.bonus} to tool_safety`);
+        const d = data.skill.transparency.details;
+        if (d.hasSecuritySection) lines.push(`      ✓ Declares security posture`);
+        if (d.hasAllowedTools) lines.push(`      ✓ Lists allowed tools (${d.allowedToolsCount})`);
+        if (d.hasRequires) lines.push(`      ✓ Declares requirements`);
+      }
+    }
 
     if (data.skill.specChecks) {
       lines.push("", `  ### Spec Compliance`);
@@ -201,7 +231,6 @@ function formatFullResult(data) {
     lines.push("", `## ⚠️ Disqualifiers: ${data.disqualifiers.join(", ")}`);
   }
 
-  // Recommendations
   if (data.recommendations) {
     lines.push(...formatRecommendations(data.recommendations));
   }
@@ -214,14 +243,15 @@ function formatFullResult(data) {
 
 function formatSafetyResult(data) {
   if (data.mode !== "skills" || !data.skill) {
+    const score = data.composite ?? data.score ?? '?';
     return [
       `# Safety Scan: ${data.repo}`,
       "",
       "This repo was not detected as an AI skill or MCP server.",
       "Safety scanning only runs on repos identified as skills.",
       "",
-      `Mode: ${data.mode}`,
-      `Score: ${data.composite}/10 | Tier: ${formatTier(data.tier)}`,
+      `Mode: ${data.mode || 'standard'}`,
+      `Score: ${score}/10 | Tier: ${formatTier(data.tier)}`,
     ].join("\n");
   }
 
@@ -229,7 +259,7 @@ function formatSafetyResult(data) {
     `# Safety Scan: ${data.repo}`,
     "",
     `**Skill Type:** ${data.skill.type}`,
-    `**Safety Score:** ${data.signals.tool_safety}/10`,
+    `**Safety Score:** ${data.signals?.tool_safety ?? '?'}/10`,
     `**Status:** ${data.skill.safety?.summary || "Unknown"}`,
     "",
   ];
@@ -278,7 +308,7 @@ function formatSafetyResult(data) {
 const server = new Server(
   {
     name: "mcpskills",
-    version: "2.0.0",
+    version: "2.1.0",
   },
   {
     capabilities: {
@@ -294,7 +324,7 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
       {
         name: "check_trust_score",
         description:
-          "Score any GitHub repo for trustworthiness. Returns a trust score (0-10) across 4 dimensions: Alive (maintained?), Legit (credible author?), Solid (secure?), Usable (good docs?). AI skills and MCP servers get enhanced scanning with 5 safety checks. Set MCPSKILLS_API_KEY env var for full 12-signal reports.",
+          "Score any GitHub repo for trustworthiness. Returns a trust score (0-10) across 4 dimensions: Alive (maintained?), Legit (credible author?), Solid (secure?), Usable (good docs?). AI skills and MCP servers get enhanced scanning with 5 safety checks. Set MCPSKILLS_API_KEY env var for full 14-signal reports.",
         inputSchema: {
           type: "object",
           properties: {
@@ -356,7 +386,7 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
       {
         name: "watch_repo",
         description:
-          "Start monitoring a repo for trust score changes. You'll be alerted when a repo's score changes significantly (±0.3 points or tier change). Free tier: up to 20 repos.",
+          "Start monitoring a repo for trust score changes. You'll be alerted when a repo's score changes significantly (±0.3 points or tier change). Requires a paid API key.",
         inputSchema: {
           type: "object",
           properties: {
@@ -387,6 +417,37 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
           required: ["email"],
         },
       },
+      {
+        name: "batch_check",
+        description:
+          "Check up to 5 repos in one call. Returns a trust assessment for each repo. Requires a Pro API key (MCPSKILLS_API_KEY). Great for bulk-vetting dependencies.",
+        inputSchema: {
+          type: "object",
+          properties: {
+            repos: {
+              type: "array",
+              items: { type: "string" },
+              description: 'Array of GitHub repos in "owner/repo" format (max 5)',
+            },
+          },
+          required: ["repos"],
+        },
+      },
+      {
+        name: "auto_gate",
+        description:
+          'Should I install this? Returns a simple go/no-go decision with reasoning. The fastest way to check if a repo is safe to use. Returns { proceed: true/false, reason: "..." }.',
+        inputSchema: {
+          type: "object",
+          properties: {
+            repo: {
+              type: "string",
+              description: 'GitHub repo in "owner/repo" format',
+            },
+          },
+          required: ["repo"],
+        },
+      },
     ],
   };
 });
@@ -413,9 +474,19 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
         }
 
         const data = await fetchScore(repo, apiKey);
-        const formatted = apiKey
-          ? formatFullResult(data)
-          : formatFreeResult(data);
+
+        // Determine if we got a full response or agent compact response
+        let formatted;
+        if (data.signals && data.dimensions) {
+          // Full paid response
+          formatted = formatFullResult(data);
+        } else if (data.safe !== undefined) {
+          // Agent compact response
+          formatted = formatAgentResponse(data);
+        } else {
+          // Human free response — format it for the agent
+          formatted = `${formatTier(data.tier)} ${data.repo} — ${data.composite}/10\n\nSet MCPSKILLS_API_KEY for full signal breakdown.`;
+        }
 
         return { content: [{ type: "text", text: formatted }] };
       }
@@ -471,9 +542,9 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
           lines.push("");
           const items = pkg.skills || pkg.repos || [];
           for (const item of items) {
-            const name = item.name || `${item.owner}/${item.repo}`;
+            const itemName = item.name || `${item.owner}/${item.repo}`;
             const desc = item.description || item.role || "";
-            lines.push(`  - **${name}** — ${desc}`);
+            lines.push(`  - **${itemName}** — ${desc}`);
           }
           lines.push("");
         }
@@ -535,13 +606,23 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
           };
         }
 
+        const headers = { "Content-Type": "application/json" };
+        if (apiKey) headers["X-API-Key"] = apiKey;
+
         const res = await fetch(`${API_BASE}/monitor`, {
           method: "POST",
-          headers: { "Content-Type": "application/json" },
+          headers,
           body: JSON.stringify({ action: "watch", repo, email }),
         });
         const data = await res.json();
 
+        if (res.status === 403) {
+          return {
+            content: [{ type: "text", text: data.error || "Monitoring requires a paid plan. Get one at https://mcpskills.io" }],
+            isError: true,
+          };
+        }
+
         const lines = [
           `# Watching ${repo}`,
           "",
@@ -566,9 +647,12 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
           };
         }
 
+        const headers = { "Content-Type": "application/json" };
+        if (apiKey) headers["X-API-Key"] = apiKey;
+
         const res = await fetch(`${API_BASE}/monitor`, {
           method: "POST",
-          headers: { "Content-Type": "application/json" },
+          headers,
           body: JSON.stringify({ action: "check", email }),
         });
         const data = await res.json();
@@ -599,6 +683,105 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
         return { content: [{ type: "text", text: lines.join("\n") }] };
       }
 
+      case "batch_check": {
+        const repos = args.repos;
+        if (!Array.isArray(repos) || repos.length === 0) {
+          return {
+            content: [{ type: "text", text: "Provide an array of repos to check." }],
+            isError: true,
+          };
+        }
+
+        if (!apiKey) {
+          return {
+            content: [{ type: "text", text: "batch_check requires a Pro API key. Set MCPSKILLS_API_KEY env var.\nGet one at https://mcpskills.io" }],
+            isError: true,
+          };
+        }
+
+        const batch = repos.slice(0, 5);
+        const results = [];
+
+        for (const repo of batch) {
+          if (!repo.includes("/")) {
+            results.push(`❌ ${repo} — invalid format`);
+            continue;
+          }
+          try {
+            const data = await fetchScore(repo, apiKey);
+            if (data.safe !== undefined) {
+              const icon = data.safe ? '✅' : data.recommendation === 'blocked' ? '🚫' : '⚠️';
+              results.push(`${icon} ${repo} — ${data.tier} (${data.score}/10) → ${data.recommendation}`);
+            } else if (data.signals) {
+              results.push(`${formatTier(data.tier)} ${repo} — ${data.composite}/10`);
+            } else {
+              results.push(`${formatTier(data.tier)} ${repo} — ${data.composite}/10`);
+            }
+          } catch (err) {
+            results.push(`❌ ${repo} — ${err.message}`);
+          }
+        }
+
+        const lines = [
+          `# Batch Trust Check (${batch.length} repos)`,
+          "",
+          ...results,
+          "",
+          `Checked ${batch.length} of ${repos.length} repos.`,
+        ];
+
+        if (repos.length > 5) {
+          lines.push(`⚠️ Max 5 per batch. ${repos.length - 5} skipped.`);
+        }
+
+        lines.push("", "---", "Powered by mcpskills.io");
+        return { content: [{ type: "text", text: lines.join("\n") }] };
+      }
+
+      case "auto_gate": {
+        const repo = args.repo;
+        if (!repo || !repo.includes("/")) {
+          return {
+            content: [{ type: "text", text: 'Invalid repo format. Use "owner/repo".' }],
+            isError: true,
+          };
+        }
+
+        const data = await fetchScore(repo, apiKey);
+
+        let proceed, reason;
+
+        if (data.safe !== undefined) {
+          // Agent compact response
+          proceed = data.safe || data.certified;
+          if (data.certified) {
+            reason = `Certified Safe — verified by MCP Skills (${data.score}/10)`;
+          } else if (data.safe) {
+            reason = `${data.tier} (${data.score}/10). ${data.reasoning || 'No disqualifiers.'}`;
+          } else {
+            reason = `${data.recommendation}: ${data.flags?.join(', ') || data.reasoning || 'Review needed.'}`;
+          }
+        } else {
+          // Full or human response — derive go/no-go
+          const tier = data.tier;
+          const disqualifiers = data.disqualifiers || [];
+          proceed = (tier === 'verified' || tier === 'established') && disqualifiers.length === 0;
+          const score = data.composite ?? data.score;
+          reason = proceed
+            ? `${tier} (${score}/10). Safe to install.`
+            : `${tier} (${score}/10). ${disqualifiers.length ? 'Disqualifiers: ' + disqualifiers.join(', ') : 'Review recommended.'}`;
+        }
+
+        const icon = proceed ? '✅' : '🚫';
+        const text = [
+          `${icon} ${proceed ? 'PROCEED' : 'DO NOT INSTALL'} — ${repo}`,
+          '',
+          reason,
+        ].join('\n');
+
+        return { content: [{ type: "text", text }] };
+      }
+
       default:
         return {
           content: [{ type: "text", text: `Unknown tool: ${name}` }],

package/package.json

@@ -1,14 +1,15 @@
 {
   "name": "@mcpskillsio/server",
-  "version": "2.0.0",
-  "description": "Trust-score any AI skill or MCP server from inside Claude Code, Cursor, or any MCP client. 14 signals, safety scanning, recommendations, badges, and monitoring.",
+  "version": "2.1.1",
+  "description": "Trust-score any AI skill or MCP server from inside Claude Code, Cursor, or any MCP client. 14 signals, safety scanning, recommendations, badges, monitoring, batch checking, and auto-gate decisions.",
   "type": "module",
   "main": "index.js",
   "bin": {
     "mcpskills": "index.js"
   },
   "scripts": {
-    "start": "node index.js"
+    "start": "node index.js",
+    "test": "node --test test/"
   },
   "keywords": [
     "mcp",
@@ -24,7 +25,8 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/bebravebekind/mcpskills-server"
+    "url": "https://github.com/BeBraveBeKind/mcpskills.git",
+    "directory": "mcp-server"
   },
   "homepage": "https://mcpskills.io",
   "engines": {