Frequently Asked Questions

Everything you need to know about SpiderRating, security scores, and protecting your AI agents.

What is SpiderRating?

SpiderRating is an independent security rating platform for MCP servers, Claude skills, and AI tools. We scan and score every tool in the ecosystem so developers and enterprises can make informed decisions about which tools to trust. As of March 2026, we have rated 15,923 servers and skills.

How is the security score calculated?

SpiderScore is a weighted composite of three dimensions: Description Quality (how well tools describe their capabilities to AI agents), Security Analysis (46+ static analysis rules for vulnerabilities like injection, path traversal, and secret leakage), and Metadata Health (package provenance, maintenance signals, and community health). MCP servers use weights 38/34/28%, Skills use 45/35/20%.

What do the letter grades mean?

Grades map to score ranges: A (9.0–10.0) means excellent security, B (7.0–8.9) is good, C (5.0–6.9) is average, D (3.0–4.9) is below average with known issues, and F (0–2.9) means critical security problems. Hard constraints can force grade caps — any critical vulnerability forces an F regardless of other scores.

Is SpiderRating free?

Yes. The public Trust Score API, security badges, and the open-source scanner (spidershield) are all free. Pro plans ($49/month) add cloud dashboards, alert rules, and higher API limits. Enterprise plans include compliance reporting and team management.

How do I scan my own MCP server?

Run `npx spidershield scan ./your-server` or `pip install spidershield && spidershield scan ./your-server`. The scan is fully local — no data leaves your machine. Results include a score, grade, and detailed issue breakdown.

How do I protect my AI agents in real-time?

SpiderShield provides runtime protection via PreToolUse hooks (for Claude Code) and proxy guards (for any MCP client). Every tool call is checked against our trust database of 15,923 rated servers. Grade F tools are blocked automatically. Setup takes 2–3 minutes.

How often are scores updated?

Our pipeline continuously discovers and rescans MCP servers. New servers are typically rated within 24 hours of appearing on GitHub, npm, or PyPI. Existing servers are rescanned weekly or when we detect new commits.

Can I dispute a rating?

Yes. Visit your server's report page and click 'Request Rescan', or email [email protected] with details. We review disputes within 48 hours. For D/F-rated servers, specific vulnerability details are shared under responsible disclosure (90-day window).

What is SpiderShield?

SpiderShield is the open-source scanner (MIT license) that powers SpiderRating. It provides static analysis, runtime guards, DLP scanning, and audit logging. SpiderRating adds the cloud platform, pipeline, and rating engine on top.

How do I add a security badge to my README?

Add this markdown to your README: `[![SpiderRating](https://spiderrating.com/badge/OWNER__REPO.svg)](https://spiderrating.com/servers/OWNER/REPO)`. Replace OWNER and REPO with your GitHub owner and repository name. The badge updates automatically when your score changes.

Still have questions?

Check our Methodology page for technical details, or reach out directly.

Contact Us