Scoring & Grades
How SpiderScore is calculated, what the A–F letter grades mean, rescans, and disputes.
Last updated: · 4 questions in this topic · Based on 15,923 rated MCP servers
How is the SpiderScore calculated?
SpiderScore is a 0-10 composite security rating for MCP servers and Claude skills, calculated from three weighted dimensions. For MCP servers the weights are: Description Quality 38% (how clearly tools explain their capabilities to AI agents, across 5 sub-dimensions), Security Analysis 34% (static analysis across 46+ rules for command injection, path traversal, SSRF, credential leakage, prompt injection, and other vulnerabilities), and Metadata Health 28% (license clarity, maintenance signals, GitHub popularity). Claude skills use slightly different weights of 45/35/20. See the full methodology for scoring formulas and sub-signal breakdowns.
What do the letter grades (A through F) mean?
SpiderRating letter grades map directly to SpiderScore ranges: A (9.0–10.0) means excellent, B (7.0–8.9) good, C (5.0–6.9) average, D (3.0–4.9) below average with known issues, and F (0–2.9) means critical security problems. Hard constraints can override the raw score — any critical vulnerability such as hardcoded credentials, command injection, or reverse-shell patterns forces an F regardless of other scores. As of March 2026 the ecosystem distribution is: A 0%, B 1.3%, C 69.4%, D 16.3%, F 13%, with an average score of 5.26/10.
How often are scores updated?
Our pipeline continuously discovers and rescans MCP servers; new servers are typically rated within 24 hours of appearing on GitHub, npm, or PyPI. Existing servers are rescanned weekly, or immediately when we detect new commits or security advisories affecting their dependencies. You can force a rescan of any server from its report page. Real-time rescan triggers are available on Pro and Business plans.
Can I dispute or appeal a rating?
Yes. Visit your server's report page and click "Request Rescan", or email [email protected] with details. We review disputes within 48 hours. For servers graded D or F, specific vulnerability details are shared privately under responsible disclosure with a 90-day remediation window before public disclosure. Maintainers who fix issues can request an immediate rescan to update their public grade.