Grade an MCP server A–F against the open behavioral litmus (litmus-v5). The harness connects the way an agent would, fingerprints the tool surface, and runs four checks: C-01 tool-output injection, C-02 permission/egress overreach (egress in a hardened default-deny Docker sandbox, plus a declared-permission honesty check), C-03 sensitive-data handling (planted canaries), and C-04 adversarial-input handling (malformed/oversized and jailbreak inputs).

This is ACTIVE: it launches the target server's code to exercise it (egress- sandboxed when Docker is available) and takes ~20–60s. It is not a lookup — for a server's already-published grade, use verify_attestation. No wallet or RPC needed.

server_ref examples: npm/@modelcontextprotocol/server-filesystem · https://example.com/mcp · ./build/index.js. For a token-gated https:// target, pass bearer. If Docker is unavailable, C-02 is skipped and the grade is capped at B for that run.

Grade a Claude Code / Agent Skill A/B/D/F against the open static safety litmus (litmus-skill-v1). A skill is a SKILL.md (instructions + frontmatter) plus an optional bundle. The litmus scans the bytes for S-01 prompt-injection / context-poisoning in the body, S-03 data-exfiltration instructions, and S-04 dangerous commands in bundled executable scripts. It content-hashes the whole directory (the anti-tamper anchor).

The SAFETY letter is a STATIC read: it does NOT execute the skill or its scripts and is fast — therefore NOT behavioral proof. An A means the static checks found no injection, exfil instruction, or dangerous bundled command, not that the skill is safe to run unsupervised. A command a skill constructs or fetches at runtime is not visible to static scanning (a disclosed limit).

It also returns a SEPARATE, advisory quality signal (well-formed / issues / malformed) — never an A–F letter, never minted, never affecting the safety letter. Its deterministic checks always run; its optional LLM-judged axes (honesty, coherence) run only when a judge is available — the host agent's own model via MCP sampling (no key), or a user-provided OpenAI-compatible key — and are skipped otherwise.

skill_ref (v1): a LOCAL path to a skill directory containing SKILL.md, e.g. ./skills/my-skill. Remote refs (github//#path, marketplace//) are not yet supported.

Read a server's already-published polygraph (litmus) grade — without running anything — before an agent trusts or, in agentic commerce, pays it.

When a grade is published it returns the behavioral grade (A–F), the attestation UID, the evidence CID, and the graded tool-surface fingerprint. The caller must still recompute the LIVE fingerprint and require it to equal the attested one before paying — a passing attestation can otherwise front for a tool surface the server no longer serves (rug pull).

Grade publishing is still rolling out, so this commonly returns not_available today: that means UNEVALUATED (neither safe nor unsafe), not a failing grade — to grade the server yourself right now, use run_litmus. A lookup_failed result means the lookup itself failed (the index or chain was unreachable); the grade is unknown, which is not the same as unevaluated.

Input: server_ref — e.g. npm/@modelcontextprotocol/server-filesystem.

Read a Claude Code / Agent Skill's already-published polygraph grade — without running anything — before an agent installs or trusts it.

When a grade is published it returns the letter (A/B/D/F), the attestation UID, the evidence CID, and the attested contentHash. The caller MUST then recompute the skill's content hash (sha256 over every file the SKILL.md can load, including lazily-referenced files) and require it to equal contentHash before installing — a passing attestation can otherwise front for different bytes (a swapped bundled script). The ref/version is advisory; the contentHash is the trust anchor.

Grade publishing for skills is rolling out, so this commonly returns not_available: that means UNEVALUATED (neither safe nor unsafe), not a failing grade — to grade a local skill yourself, use run_skill_litmus. A lookup_failed result means the lookup itself failed (index/chain unreachable); the grade is unknown, not unevaluated.

Input: skill_ref — e.g. github//# or marketplace//.