Check MCP servers before installing them in Claude.

Oathe runs behavioral security audits on third-party tools. Free, no API key, under 2 minutes.

Why Check?

MCP servers get full system access

Every MCP server you install can read files, make network requests, and execute commands on your machine. There is no permission model. If Claude can reach it, the server can too.

Claude trusts tools by default

Claude will call any tool an MCP server exposes. It does not distinguish between safe and malicious tool descriptions. A compromised server shapes what Claude does next.

One audit catches what code review misses

Static analysis sees code. Oathe sees behavior. We execute the server in a sandbox and monitor every action it takes -- network calls, file access, data handling -- in real time.

Two Ways to Check

Option 1

MCP Server (recommended)

Install the Oathe MCP server alongside your other tools. Ask Claude to check any server before you install it.

Claude Desktop

Add to your Claude Desktop config (claude_desktop_config.json):

{
  "mcpServers": {
    "oathe": {
      "command": "npx",
      "args": ["-y", "oathe-mcp"]
    }
  }
}

Claude Code

Run in your terminal:

claude mcp add oathe -- npx -y oathe-mcp

Then ask Claude: "Use oathe to check if the X MCP server is safe to install."

Option 2

Direct API

Query the Oathe audit engine directly. No installation required.

Request

curl https://audit-engine.oathe.ai/api/skill/{owner}/{repo}/summary

Response

{
  "skill_slug": "owner/repo",
  "score": 85,
  "verdict": "SAFE",
  "recommendation": "This skill demonstrates safe behavior...",
  "findings_count": 3,
  "critical_findings": 0,
  "high_findings": 1,
  "audited_at": "2025-12-01T10:30:00.000Z",
  "report_url": "/api/skill/owner/repo/latest"
}

What You Get

Trust Score

A score from 0 to 100 based on six behavioral dimensions: prompt injection, data exfiltration, code execution, clone behavior, canary integrity, and behavioral reasoning.

Verdict

A clear categorical assessment: SAFE, CAUTION, DANGEROUS, or MALICIOUS. Each verdict maps to a score range and a recommended action.

Detailed Findings

Every security observation is documented with severity, evidence, and score impact. Recommendations include INSTALL, INSTALL_WITH_RESERVATIONS, DO_NOT_INSTALL, and UNINSTALL_IMMEDIATELY.

Get Started

oathe.ai
API Documentation How Pre-Install Checks Work What is Oathe? GitHub npm