Evaluate a new tool before deploying to clients
Before adopting a Claude tool internally or for clients, scan it for the common risks — permissions overreach, supply-chain issues, missing security docs.
Claude tools move fast and the ecosystem is young — 36% of skills had security flaws in a recent audit. Before installing a new MCP server or skill (especially for client work), you need a consistent evaluation pass: what permissions does it want, what does it connect to, who maintains it, and is that pattern a known footgun.
Recommended
The 2 tools we'd reach for first
Purpose-built scanner for Claude Code skills. Runs a consistent security checklist and produces a report you can share with clients.
Trail of Bits' curated security skills bundle. If a respected security firm has packaged something, that's a strong signal.
Alternatives
Use these when your stack calls for them
Runtime gateway that constrains what a skill or MCP can actually do, regardless of what its manifest claims.
Sandboxed execution layer for MCP servers — catches bad behaviour at runtime rather than at install.
Supporting
Helpful adjacent tools to complete the workflow
Governance-focused skill bundle — maps evaluation findings to common compliance frameworks (SOC 2, ISO).
Not sure where to start?
Browse all 409 tools in the full catalog, or explore by role or trust tier.
Browse catalog · By role · By trust tier