How we score
every MCP server
Trust isn't a black box. AgentForge's audit pipeline is five weighted dimensions, each with public scoring rules. The whole algorithm — source code, schema, badge logic — is on GitHub under MIT. We'd rather you fork our methodology than trust ours blindly.
The formula
overall_score =
security_scan Ă— 0.30
+ code_health Ă— 0.20
+ behavioral_audit Ă— 0.20
+ community_trust Ă— 0.15
+ eu_compliance × 0.15Each dimension is 0–100. Missing dimensions are weighted to zero and flagged in audit_status as partial rather than complete.
The five dimensions
1. Security Scan
30% of totalWhat it measures: Did anyone leave secrets in this repo? Are there known CVEs in its dependencies? Are there open security advisories on GitHub?
How it's computed: Static scan of the full source tree for credentials and tokens (allowlisted for known false-positive patterns), GitHub Security Advisory API for open advisories, dependency CVE lookups via OSV.dev.
Signals
- ·GitHub Security Advisories (open count, severity-weighted)
- ·Secret-pattern matches in code (AWS, Stripe, JWT, OpenAI, Anthropic, etc.)
- ·Open Snyk-style dependency findings
- ·License presence (missing license is a partial penalty here)
2. Code Health
20% of totalWhat it measures: Is this repo alive and maintained, or is it an abandoned weekend project?
How it's computed: GitHub repo metadata: last commit timestamp, open-issue ratio, archival flag, default branch activity over last 90 days.
Signals
- ·Days since last commit (decays after 90 days)
- ·Open vs closed issue ratio
- ·Archived flag → hard penalty
- ·Has a CI badge or README
- ·Has typed source (TypeScript, type hints, etc.)
3. Behavioral Audit
20% of totalWhat it measures: Does what the server actually does match what the README claims it does? Does it call out to surprising external services? Does it handle credentials safely at runtime?
How it's computed: Claude-powered review of the server's source code (entry points, tool handlers, network calls). Looks for undisclosed network egress, plain-text credential storage, and other behavioral surprises.
Signals
- ·README claims vs. observed tool exports
- ·Undocumented network egress (calls to non-README-mentioned hosts)
- ·Credential handling (plain-text logs, missing redaction)
- ·Side effects beyond the documented tool semantics
- ·Use of dangerous primitives (eval, child_process with user input, etc.)
4. Community Trust
15% of totalWhat it measures: Does anyone vouch for this? Is the publisher known? Is there a community around it?
How it's computed: GitHub stars (log-scaled, so 1k vs. 10k isn't a 10Ă— advantage), fork count, contributor count, owner type (Organization vs. Individual), and account age.
Signals
- ·Stars (log-scaled — diminishing returns above ~1k)
- ·Forks and active contributor count
- ·Owner type bonus: Organization > Individual
- ·Account age and verified status
- ·Cross-references from other MCP catalogs (Glama, mcp.so, awesome-mcp-servers)
5. EU Compliance
15% of totalWhat it measures: Can an EU enterprise actually use this without violating GDPR or the AI Act?
How it's computed: Static analysis of disclosure files: privacy policy URL, data residency statement, AI Act risk class, GDPR data-processor declaration, retention policy.
Signals
- ·Privacy policy presence and URL
- ·Data residency disclosure (EU/US/global)
- ·AI Act risk classification (minimal / limited / high)
- ·GDPR data-processor agreement availability
- ·Telemetry opt-out documented
- ·Retention and erasure policy
Badges
Badges are derived rules — they don't change the score, they summarize why a score is what it is. Renderable in catalog listings and via the trust MCP server.
| Badge | Awarded when |
|---|---|
| clean_scan | Zero secrets leaked, zero dependency findings |
| no_advisories | No open GitHub Security Advisories |
| actively_maintained | Code health ≥ 80 (recent commits, no archival) |
| community_trusted | Community trust ≥ 70 (stars + forks + reputation) |
| org_maintained | Repository owned by a GitHub Organization (not individual) |
| licensed:mit / apache-2.0 / … | Has an SPDX-recognized open-source license |
| secrets_leaked | WARNING: secrets detected in source — review before use |
| archived | WARNING: repository is archived on GitHub |
Open source
Trust MCP server (npm)
agentforge-trust-mcp — query scores from any MCP client (Claude Code, Cursor). MIT licensed.
packages/mcp-trust-server/ →
Audit algorithm
The TypeScript scoring functions — including the badge rules listed above. PRs welcome for new dimensions or refinements.
scripts/lib/trust-audit.ts →
Database schema
trust_scores + trust_audit_history tables, with the canonical compute_overall_trust() Postgres function.
migrations/036 →
Trust API
GET /api/v1/trust/list and /api/v1/trust/evaluate — query scores programmatically, no API key needed.
/api/v1/trust →
See something we should score differently?
We publish the algorithm so the community can challenge it. Open a PR with a new signal, weight change, or badge rule — we triage on the agent-hub repo.