Credence
Check MCP servers and AI tools against the Credence trust registry before you install them.
When to use this skill
- - Before installing any MCP server
- When a user asks you to add an MCP server or AI tool
- When you want to verify whether a tool is safe
- When the user asks �INLINECODE0
How it works
Credence scans MCP servers and AI tools for security issues, verifies their provenance, and checks behavioral risk. Every scanned tool gets a trust score from 0 to 100 and a verdict:
| Score | Verdict | Meaning |
|---|
| 90-100 | APPROVED | Safe to install |
| 70-89 |
CONDITIONAL | Review the flagged items before installing |
| 40-69 | FLAGGED | Significant concerns — install only if you understand the risks |
| 0-39 | REJECTED | Do not install |
Instructions
Check a server by name or URL
Fetch the Credence registry and look up the server:
CODEBLOCK0
Search the servers array for a match on server_id, server_name, canonical_name, or repo_url. The match does not need to be exact — partial matches on the repo URL or server name are fine.
If found, report:
CODEBLOCK1
Then give your recommendation:
- - APPROVED (90+): Safe to install. Proceed.
- CONDITIONAL (70-89): Mention the score and suggest the user review the registry page for details before installing.
- FLAGGED (40-69): Warn the user. Do not install without explicit confirmation.
- REJECTED (0-39): Do not install. Explain that Credence found serious issues.
If not found, say:
CODEBLOCK2
Then let the user decide whether to proceed.
Check before installing
Whenever you are about to install or connect to an MCP server (via claude mcp add, editing claude_desktop_config.json, or any other method), check it against Credence first. If the server is not in the registry, tell the user it hasn't been scanned and ask if they want to proceed anyway.
Get full details
For more detail on a specific server, fetch its attestation file. The attestation_file path from the index entry is relative to:
CODEBLOCK3
The attestation includes the full score breakdown (security, provenance, behavioral), scan metadata, and the deliberation verdict.
Examples
User says: "Add the filesystem MCP server"
- 1. Fetch the registry index
- Find
modelcontextprotocol/servers/filesystem — score 88, APPROVED - Report: "Credence score: 88/100 (APPROVED). Safe to install."
- Proceed with the install
User says: "Install some-unknown-server"
- 1. Fetch the registry index
- Not found
- Report: "This server hasn't been scanned by Credence yet. You can submit it at https://credence.securingthesingularity.com/#submit — want to install anyway?"
User says: �INLINECODE10
- 1. Fetch the registry index
- Find it — score 98, APPROVED
- Report the full status
Notes
- - The registry is public and requires no authentication
- Scores are based on automated scanning plus adversarial AI deliberation
- A missing entry does not mean a tool is dangerous — it just hasn't been scanned yet
- For the full methodology, see https://credence.securingthesingularity.com/faq.html
Credence
在安装 MCP 服务器和 AI 工具之前,请先对照 Credence 信任注册表进行检查。
何时使用此技能
- - 在安装任何 MCP 服务器之前
- 当用户要求你添加 MCP 服务器或 AI 工具时
- 当你想验证某个工具是否安全时
- 当用户输入 /credence 时
工作原理
Credence 会扫描 MCP 服务器和 AI 工具的安全问题,验证其来源,并检查行为风险。每个被扫描的工具都会获得一个 0 到 100 的信任分数和判定结果:
| 分数 | 判定结果 | 含义 |
|---|
| 90-100 | 已批准 | 可以安全安装 |
| 70-89 |
有条件 | 安装前请检查标记项 |
| 40-69 | 已标记 | 存在重大隐患 — 仅在你了解风险的情况下安装 |
| 0-39 | 已拒绝 | 请勿安装 |
操作说明
按名称或 URL 检查服务器
获取 Credence 注册表并查找服务器:
bash
curl -s https://raw.githubusercontent.com/pestafford/credence-registry/main/registry/index.json
在 servers 数组中搜索匹配的 serverid、servername、canonicalname 或 repourl。匹配不需要完全一致 — 仓库 URL 或服务器名称的部分匹配即可。
如果找到,报告:
Credence: <服务器名称>
分数: <信任分数>/100
判定结果: <判定结果>
扫描时间: <认证时间>
注册表: https://credence.securingthesingularity.com/registry.html
然后给出你的建议:
- - 已批准(90+): 可以安全安装。继续操作。
- 有条件(70-89): 提及分数并建议用户在安装前查看注册表页面了解详情。
- 已标记(40-69): 警告用户。未经明确确认请勿安装。
- 已拒绝(0-39): 请勿安装。说明 Credence 发现了严重问题。
如果未找到,说:
此工具尚未经过 Credence 扫描。
请在此提交扫描:https://credence.securingthesingularity.com/#submit
然后让用户决定是否继续。
安装前检查
每当你即将安装或连接到 MCP 服务器时(通过 claude mcp add、编辑 claudedesktopconfig.json 或任何其他方法),请先对照 Credence 进行检查。如果服务器不在注册表中,告知用户该服务器尚未被扫描,并询问他们是否仍要继续。
获取详细信息
要获取特定服务器的更多详情,请获取其认证文件。索引条目中的 attestation_file 路径相对于:
https://raw.githubusercontent.com/pestafford/credence-registry/main/registry/
认证文件包含完整的分数分解(安全性、来源、行为)、扫描元数据和判定结果。
示例
用户说: 添加文件系统 MCP 服务器
- 1. 获取注册表索引
- 找到 modelcontextprotocol/servers/filesystem — 分数 88,已批准
- 报告:Credence 分数:88/100(已批准)。可以安全安装。
- 继续安装
用户说: 安装某个未知服务器
- 1. 获取注册表索引
- 未找到
- 报告:此服务器尚未经过 Credence 扫描。你可以在此提交:https://credence.securingthesingularity.com/#submit — 是否仍要安装?
用户说: /credence modelcontextprotocol/servers/memory
- 1. 获取注册表索引
- 找到 — 分数 98,已批准
- 报告完整状态
注意事项
- - 注册表是公开的,无需认证
- 分数基于自动扫描加上对抗性 AI 判定
- 缺少条目并不意味着工具危险 — 只是尚未被扫描
- 完整方法论请参见 https://credence.securingthesingularity.com/faq.html
