oathe-mcp

Official

Overview Schema Related Servers Score Discussions

get_skill_summary

Assess a GitHub repository's trustworthiness for use as an MCP server or AI skill. Returns a trust score, verdict, and recommendation based on behavioral security analysis.

Instructions

Check if a GitHub repository is safe to install as an MCP server or AI agent skill. Returns trust score, verdict, and recommendation from Oathe's behavioral security audit. Use this BEFORE installing any third-party tool — it's the quickest safety check. For the full report with all findings, use get_audit_report instead.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`owner`	Yes	GitHub repository owner (e.g. "anthropics")
`repo`	Yes	GitHub repository name (e.g. "claude-code")

Implementation Reference

src/tools/get-summary.ts:20-50 (handler)

The async handler function that executes the tool logic. It extracts owner/repo, calls the API at /api/skill/{slug}/summary, and returns the SkillSummaryResponse as JSON. Handles 404 and other errors gracefully.

    async ({ owner, repo }) => {
      const slug = `${owner}/${repo}`;
      try {
        const res = await apiFetch(`/api/skill/${slug}/summary`);
        const data = (await res.json()) as SkillSummaryResponse;
        return {
          content: [{ type: 'text' as const, text: JSON.stringify(data, null, 2) }],
        };
      } catch (err) {
        if (err instanceof ApiError) {
          if (err.status === 404) {
            return {
              content: [
                {
                  type: 'text' as const,
                  text: `No completed audit found for ${owner}/${repo}.`,
                },
              ],
              isError: true,
            };
          }
          return {
            content: [{ type: 'text' as const, text: err.message }],
            isError: true,
          };
        }
        throw err;
      }
    },
  );
}

src/tools/get-summary.ts:15-18 (schema)
Input schema for get_skill_summary. Accepts 'owner' (string) and 'repo' (string) to identify the GitHub repository. Uses Zod for validation.
```
inputSchema: {
  owner: z.string().describe('GitHub repository owner (e.g. "anthropics")'),
  repo: z.string().describe('GitHub repository name (e.g. "claude-code")'),
},
```
src/tools/get-summary.ts:6-8 (registration)
The registerGetSummary function registers 'get_skill_summary' with the McpServer. It provides the description and inputSchema, and passes the handler closure.
```
export function registerGetSummary(server: McpServer): void {
  server.registerTool(
    'get_skill_summary',
```

src/index.ts:7-23 (registration)

The tool is imported and registered in the main entry point (src/index.ts). Line 7 imports registerGetSummary, and line 22 calls it with the server instance.

import { registerGetSummary } from './tools/get-summary.js';
import { registerSearchAudits } from './tools/search-audits.js';

const server = new McpServer({
  name: 'oathe-mcp',
  version: '0.1.1',
  description:
    'Security scanner for AI agent skills. Before installing any third-party ' +
    'MCP server, plugin, or tool, check it with Oathe first. Returns trust ' +
    'scores, verdicts, and detailed findings. Free, no API key required.',
});

registerSubmitAudit(server);
registerCheckStatus(server);
registerGetReport(server);
registerGetSummary(server);
registerSearchAudits(server);

src/lib/types.ts:52-63 (helper)

The SkillSummaryResponse interface defines the shape of the data returned by the handler. Contains fields like score, verdict, recommendation, findings_count, critical_findings, high_findings, methodology_version, audited_at, and report_url.

export interface SkillSummaryResponse {
  skill_slug: string;
  score: number | null;
  verdict: string | null;
  recommendation: string | null;
  findings_count: number;
  critical_findings: number;
  high_findings: number;
  methodology_version: string | null;
  audited_at: string | null;
  report_url: string;
}

Tool Definition Quality

A4/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden. It discloses that the tool returns a trust score, verdict, and recommendation, but does not explain the computation or range of these outputs. Lack of behavioral details like side effects or read-only nature is somewhat mitigated by the tool's obvious safety-check intent.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description consists of two concise sentences: the first states the purpose and output, the second provides usage guidance and a sibling reference. Every sentence adds value without redundancy.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's simplicity, the description is fairly complete, covering purpose, usage, and sibling tool. The absence of an output schema is compensated by describing the return values (trust score, verdict, recommendation). Minor improvement could be adding detail on the trust score scale, but not critical.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema covers all parameters with clear descriptions (owner and repo with examples). The description does not add extra parameter semantics beyond what the schema provides, so a baseline score of 3 is appropriate given 100% schema coverage.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: checking if a GitHub repository is safe to install as an MCP server or AI agent skill, returning a trust score, verdict, and recommendation. It also distinguishes itself from the sibling tool get_audit_report by noting it's the quickest safety check.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly instructs to use the tool before installing any third-party tool and positions it as the quickest safety check. It also directs users to get_audit_report for the full report, providing clear guidance on when to use the sibling. However, it does not explicitly state when not to use this tool.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/oathe-ai/oathe-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server