Skip to main content
Glama
Vigile-ai

vigile-mcp

by Vigile-ai
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Remote

vigile_check_server

Retrieve the trust score and security findings for an MCP server from the Vigile registry. Returns a summary and link to the full report.

Instructions

Look up the trust score and security findings for an MCP server in the Vigile registry. Returns trust score (0-100), trust level, findings summary, and a link to the full report.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
nameYesMCP server name or npm package name (e.g., '@anthropic/mcp-server-filesystem')

Implementation Reference

  • src/index.ts:54-66 (registration)
    Registration of the vigile_check_server tool on the MCP server with zod schema and handler
    // ── Tool: vigile_check_server ──

server.tool(
  "vigile_check_server",
  "Look up the trust score and security findings for an MCP server in the Vigile registry. Returns trust score (0-100), trust level, findings summary, and a link to the full report.",
  {
    name: z.string().min(1).max(200).describe("MCP server name or npm package name (e.g., '@anthropic/mcp-server-filesystem')"),
  },
  async ({ name }) => {
    const result = await checkServer(API_BASE, API_KEY, name);
    return { content: [{ type: "text" as const, text: result }] };
  }
);
  • src/tools/check-server.ts:7-81 (handler)
    Main handler function checkServer that fetches trust score from Vigile API and formats the response with score, trust level, findings, and a link to the full report
    export async function checkServer(
  baseUrl: string,
  apiKey: string,
  name: string
): Promise<string> {
  const { ok, status, data } = await fetchVigile(
    baseUrl,
    apiKey,
    `/api/v1/registry/${encodeURIComponent(name)}`
  );

  if (!ok) {
    if (status === 404) {
      return [
        `## MCP Server: ${name}`,
        "",
        "**Not found in the Vigile registry.**",
        "",
        "This server hasn't been scanned yet. You can:",
        `- Submit it for scanning at https://vigile.dev`,
        `- Run \`npx vigile-scan ${name}\` to scan it locally`,
        "",
        "⚠️ An unscanned server should be treated with caution.",
      ].join("\n");
    }
    return `Error looking up "${name}": ${data?.detail || `HTTP ${status}`}`;
  }

  const emoji = trustLevelEmoji(data.trust_level);
  const lines = [
    `## ${emoji} ${data.name}`,
    "",
    `**Trust Score:** ${formatScore(data.trust_score)}`,
    `**Trust Level:** ${data.trust_level}`,
    `**Source:** ${data.source}`,
  ];

  if (data.description) {
    lines.push(`**Description:** ${data.description}`);
  }
  if (data.maintainer) {
    lines.push(`**Maintainer:** ${data.maintainer}`);
  }
  if (data.downloads_weekly) {
    lines.push(`**Weekly Downloads:** ${data.downloads_weekly.toLocaleString()}`);
  }
  if (data.stars) {
    lines.push(`**GitHub Stars:** ${data.stars.toLocaleString()}`);
  }
  if (data.last_scanned) {
    lines.push(`**Last Scanned:** ${new Date(data.last_scanned).toLocaleDateString()}`);
  }

  // Findings summary
  if (data.latest_findings && data.latest_findings.length > 0) {
    lines.push("", "### Security Findings");
    for (const f of data.latest_findings.slice(0, 5)) {
      const severity = f.severity === "critical" ? "🔴" : f.severity === "high" ? "🟠" : "🟡";
      lines.push(`- ${severity} **[${f.severity.toUpperCase()}]** ${f.title}`);
      if (f.recommendation) {
        lines.push(`  → ${f.recommendation}`);
      }
    }
    if (data.latest_findings.length > 5) {
      lines.push(`  ... and ${data.latest_findings.length - 5} more findings`);
    }
  }

  lines.push(
    "",
    `🔗 [Full report on Vigile](https://vigile.dev/server/${encodeURIComponent(data.name)})`
  );

  return lines.join("\n");
}
  • src/tools/api.ts:63-65 (helper)
    Helper function formatScore used to format the trust score
    export function formatScore(score: number): string {
  return `${Math.round(score)}/100`;
}
  • src/tools/api.ts:48-61 (helper)
    Helper function trustLevelEmoji used to map trust levels to emoji icons
    export function trustLevelEmoji(level: string): string {
  switch (level) {
    case "trusted":
      return "🟢";
    case "caution":
      return "🟡";
    case "risky":
      return "🟠";
    case "dangerous":
      return "🔴";
    default:
      return "⚪";
  }
}
  • src/tools/api.ts:5-46 (helper)
    Helper function fetchVigile used by checkServer to make API calls to the Vigile backend
    export async function fetchVigile(
  baseUrl: string,
  apiKey: string,
  path: string,
  options?: { method?: string; body?: string }
): Promise<{ ok: boolean; status: number; data: any }> {
  const headers: Record<string, string> = {
    "Content-Type": "application/json",
    "User-Agent": "vigile-mcp/0.1.7",
  };

  if (apiKey) {
    headers["Authorization"] = `Bearer ${apiKey}`;
  }

  try {
    const res = await fetch(`${baseUrl}${path}`, {
      method: options?.method || "GET",
      headers,
      body: options?.body,
    });

    const data = await res.json().catch(() => null);
    return { ok: res.ok, status: res.status, data };
  } catch (error: any) {
    // Sanitize error message — don't leak internal details like
    // hostnames, ports, file paths, or stack traces
    const rawMsg = error?.message || "Unknown error";
    const safeMsg = rawMsg.includes("ECONNREFUSED") || rawMsg.includes("ENOTFOUND")
      ? "API server unreachable"
      : rawMsg.includes("ETIMEDOUT") || rawMsg.includes("timeout")
      ? "Request timed out"
      : rawMsg.includes("ECONNRESET")
      ? "Connection reset"
      : "Connection failed";
    return {
      ok: false,
      status: 0,
      data: { detail: safeMsg },
    };
  }
}

Tool Definition Quality

B3.3/5.0
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations, the description carries full burden for behavioral disclosure. It only states a read-like operation returning data, but does not mention side effects, authentication needs, rate limits, or whether the registry query is live. Minimal transparency beyond the obvious.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Two sentences, no fluff. Purpose is front-loaded, returns are listed immediately. Efficient and scannable.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a simple single-parameter lookup tool, the description covers purpose and output. However, it lacks usage guidelines, error conditions, and any context on when to use this versus sibling tools, making it minimally adequate.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema covers the single parameter with a description. The tool description adds no further detail about the parameter beyond the schema, resulting in baseline score per high coverage.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool looks up trust score and security findings for an MCP server, specifying returned data (score, level, findings, link). It distinguishes from siblings like vigile_check_provenance and vigile_check_skill by focusing on trust and security for servers.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

No guidance on when to use this tool over alternatives (e.g., vigile_check_provenance). No mention of prerequisites or scenarios where this tool is preferred, leaving the agent to infer usage.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Vigile-ai/vigile-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server