API Documentation
The Policy Gate is the core product: CI policy decisions with repo memory, exceptions, and alerts. The public scanner and verdict API support it with package triage and stateless trust decisions.
Start Here
Policy Gate
Use /api/repo/check to make backend policy decisions in CI and /api/repo/report to retrieve repo inventory and audit history.
Still Need Package Triage?
Public package scanner
Use /api/scan for instant package scans and /api/verdictfor stateless allow, warn, or block decisions.
Discovery
Policy Gate Endpoints
These endpoints power the Policy Gate: CI policy decisions, repo inventory, exception management, and repo-specific alerts.
/api/repo/checkCentral Policy Check
Authoritative CI policy decision for a repo. Send repo metadata plus MCP packages and AgentScore returns pass/fail, per-package verdicts, applied exceptions, and a decision ID. This is the control point behind the GitHub Action.
curl -X POST "https://www.agentscores.xyz/api/repo/check" \
-H "Content-Type: application/json" \
-H "X-AgentScore-Key: YOUR_REPO_KEY" \
-d '{
"repo": "owner/repo",
"commit": "abc123",
"branch": "main",
"packages": [
{ "name": "exa-mcp-server", "version": "3.2.0" }
],
"fail_on": "block",
"fail_open": false
}'/api/repo/report?repo={owner/repo}Repo Inventory And Audit History
Return authenticated repo inventory, recent Policy Gate runs, and stored exceptions for a repo.
curl "https://www.agentscores.xyz/api/repo/report?repo=owner/repo" \ -H "X-AgentScore-Key: YOUR_REPO_KEY"
/api/repo/alerts?repo={owner/repo}Repo Alerts
Return repo-specific alerts created when a monitored package used by that repo worsens later.
curl "https://www.agentscores.xyz/api/repo/alerts?repo=owner/repo" \ -H "X-AgentScore-Key: YOUR_REPO_KEY"
/api/repo/exceptionsCreate Or Update Exception
Create a repo-specific exception so a warning or block can be approved server-side without editing CI configuration.
curl -X POST "https://www.agentscores.xyz/api/repo/exceptions" \
-H "Content-Type: application/json" \
-H "X-AgentScore-Key: YOUR_REPO_KEY" \
-d '{
"repo": "owner/repo",
"package": "exa-mcp-server",
"allowed_verdict": "warn",
"reason": "Approved until upstream provenance ships"
}'Scanner Endpoints
/api/scan?npm={packageName}MCP Package Scanner
Scan any npm package for security issues. Checks install scripts, suspicious URLs, prompt injection patterns, dependency count, metadata quality, and published source code patterns such as unsafe eval, command injection, hardcoded secrets, and sensitive file access. Returns score 0-100 and findings by severity. Static analysis only: no code execution.
curl "https://agentscores.xyz/api/scan?npm=mcp-trust-guard"
/api/monitorStart Continuous Monitoring
Enroll a package in continuous monitoring. Stores a baseline scan, rescans on a recurring schedule, and alerts on material risk changes including direct dependency version changes. Curated enrollment to maintain dataset quality.
curl -X POST "https://agentscores.xyz/api/monitor" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"npm": "mcp-trust-guard",
"email": "security@example.com"
}'/api/monitor?npm={packageName}Monitoring Status And History
Check whether a package is under monitoring and return the most recent score, risk, and scan history snapshots.
curl "https://agentscores.xyz/api/monitor?npm=mcp-trust-guard"
/api/verdict?npm={packageName}Trust Verdict
Single trust decision for an MCP package: allow, warn, or block. Based on scan findings (score and severity). Also reports monitoring status and publisher posture. Designed for registries, MCP clients, gateways, and CI workflows.
curl "https://agentscores.xyz/api/verdict?npm=mcp-trust-guard"
/api/registry?npm={packageName} or ?server={serverName}Registry Trust Overlay
Complete trust assessment for MCP servers. Returns verdict, scan findings, posture, tools, monitoring status, and exposure data in a single call. Designed as a trust overlay for MCP registries and clients.
curl "https://agentscores.xyz/api/registry?npm=exa-mcp-server"
/api/exposure?npm={compromisedPackage}Incident Exposure Query
Given a compromised package name, returns all monitored MCP servers that depend on it directly. Uses stored dependency snapshots for instant lookup. Built for incident response.
curl "https://agentscores.xyz/api/exposure?npm=axios"
/api/advisories?package={packageName}&severity={level}&limit={n}Security Advisories
Auto-published security advisories when monitored packages change risk level. Filter by package or severity. Also available as RSS.
curl "https://agentscores.xyz/api/advisories"
/security/advisories/rss.xmlAdvisories RSS Feed
RSS feed of security advisories. Subscribe in any feed reader or pipe into Slack, Discord, or monitoring tools.
https://agentscores.xyz/security/advisories/rss.xml
/api/scan/badge?npm={packageName}Scan Badge (SVG)
Embeddable SVG badge showing scan status for any npm package. Add to your README to show your package has been scanned.
[](https://agentscores.xyz/scan?npm=mcp-trust-guard)
Limitations
- The package scanner performs static analysis of npm metadata and published source code (tarball, in-memory, capped at 4MB). It does not execute code or inspect runtime behaviour.
- Scores are screening heuristics, not security guarantees.
Packages And Tools
mcp-trust-guardMCP server security middleware with rate limiting and access control
npm install mcp-trust-guard@agentscore-xyz/mcp-serverMCP server with security scanning tools for Claude Desktop, Cursor, and VS Code
npx @agentscore-xyz/mcp-server