MCP Server — Oathe Docs

Set up the Oathe MCP server for native tool integration. Check skills before installing them — directly from your AI agent.

Installation

Run the Oathe MCP server with npx — no global install required:

npx oathe-mcp

Add it to your AI agent’s MCP configuration (e.g. Claude Desktop, Cursor, or any MCP-compatible client):

{
  "mcpServers": {
    "oathe": {
      "command": "npx",
      "args": ["-y", "oathe-mcp"]
    }
  }
}

Available Tools

The MCP server exposes 5 tools:

Tool	Purpose	Returns
`get_skill_summary`	Quick lookup of a previously audited skill	Trust score, verdict, recommendation, and dimension breakdown
`submit_audit`	Start a new audit for a skill	Audit ID for tracking
`check_audit_status`	Poll an in-progress audit	Current lifecycle stage and progress
`get_audit_report`	Retrieve the full report for a completed audit	Complete findings, scores, and recommendations
`search_audits`	Search across all audited skills	List of matching audit summaries

Quick Check Workflow

To check a skill that has already been audited, use get_skill_summary:

Check if the "filesystem-server" MCP skill is safe to install.

Your agent calls get_skill_summary with the skill name and returns the trust score, verdict, and recommendation immediately — no waiting required.

Full Audit Workflow

For skills that haven’t been audited yet, run a full audit:

Step 1: Submit the audit

Audit the skill at https://github.com/example/mcp-server-demo

Your agent calls submit_audit and receives an audit ID.

Step 2: Poll for completion

The agent calls check_audit_status with the audit ID. Audits progress through these stages:

queued → scanning → analyzing → summarizing → finalizing → complete

Step 3: Retrieve the report

Once status is complete, the agent calls get_audit_report to get the full results — including trust score, verdict, recommendation, dimension scores, and individual findings.

Example: Agent-Driven Install Decision

A typical interaction looks like this:

User asks their agent to install an MCP skill.
Agent calls get_skill_summary to check if the skill has been audited.
If no audit exists, agent calls submit_audit and polls with check_audit_status.
Agent reads the verdict and recommendation from the report.
Based on the recommendation (INSTALL, INSTALL_WITH_CAUTION, REVIEW_BEFORE_INSTALL, or DO_NOT_INSTALL), the agent either proceeds, warns the user, or blocks the install.

This keeps the security check inside the agent’s native workflow — no context switching, no separate dashboards.