2.5k
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill openclaw/skills --skill credence- _meta.json272 B
- SKILL.md3.9 KB
Overview
This skill checks MCP servers and AI tools against the Credence trust registry before you install or connect to them. It returns a 0–100 trust score, a verdict (APPROVED, CONDITIONAL, FLAGGED, REJECTED), and guidance based on security, provenance, and behavioral risk. Use it to make informed install decisions and to prompt manual review when needed.
How this skill works
The skill fetches the Credence registry index and searches the servers list by server_id, server_name, canonical_name, or repo URL (partial matches allowed). For found entries it reports the trust score, verdict, attestation timestamp, and a link to the registry. If nothing matches, it informs you the tool hasn’t been scanned and points to the submission page. Scores combine automated scans and adversarial deliberation and include per-category breakdowns in the attestation file.
When to use it
- Before installing or adding any MCP server or AI tool.
- When a user asks you to add or connect to a server or tool.
- When you want an independent security/provenance check before trusting a package.
- Whenever you run installation commands that change MCP configuration.
- When a server or tool is unfamiliar or lacks community reputation.
Best practices
- Always check Credence before running install or add commands for MCP servers.
- Treat CONDITIONAL and FLAGGED results as prompts for manual review of attestation details.
- If a server is not listed, consider submitting it for scanning and delay installation when possible.
- Use the attestation file link to examine the security, provenance, and behavioral sub-scores before deciding.
- Log Credence checks as part of your change control or onboarding checklist.
Example use cases
- User requests adding an MCP server — run the skill to fetch score and verdict, then allow or block install based on threshold.
- Automated install workflow queries Credence; block installs for REJECTED entries and require confirmation for FLAGGED/CONDITIONAL.
- Pre-flight check before connecting a third-party AI tool to production systems.
- Security review process: export the attestation file and evaluate specific flagged items before approving deployment.
FAQ
APPROVED (90–100): safe to install. CONDITIONAL (70–89): review flagged items first. FLAGGED (40–69): significant concerns — install only with explicit acceptance of risk. REJECTED (0–39): do not install.
What if a server isn’t in the registry?
A missing entry means it hasn’t been scanned yet, not necessarily that it’s dangerous. You can submit it for scanning; consider delaying installation or proceed only with explicit user confirmation and risk awareness.