Comprehensive security evaluation tools for agent skills and MCP servers, powered by GitHub and Bright Data integrations.
This marketplace provides two specialized evaluation skills that utlize MCP servers:
- agent-skill-evaluator: Security and safety evaluation for agent skills (.skill files)
- mcp-evaluator: Security and privacy evaluation for MCP servers
Both skills automatically assess security vulnerabilities, privacy risks, community feedback, and provide actionable recommendations with detailed risk scoring.
/plugin marketplace add /path/to/eval-marketplaceOr from GitHub:
/plugin marketplace add github:jeredblu/eval-marketplace/plugin install evaluator-tools@eval-marketplaceDownload skills individually for manual installation:
- Download: agent-skill-evaluator.zip
- Extract the zip file
- Move contents to
~/.claude/skills/agent-skill-evaluator/ - Restart Claude Code
- Download: mcp-evaluator.zip
- Extract the zip file
- Move contents to
~/.claude/skills/mcp-evaluator/ - Restart Claude Code
Note: These skills function best with recommended MCP servers, you'll need to manually configure the MCP servers (see Configuration section below).
For Claude Desktop users:
- Download: agent-skill-evaluator.zip or mcp-evaluator.zip
- Open Claude Desktop
- Go to Settings > Capabilities > Upload Skill
- Select the downloaded zip file
- Repeat for the second skill if desired
The evaluator skills work best with two MCP servers. Both are optional but highly recommended for full functionality.
GitHub MCP Server (Recommended)
- Enables direct GitHub repository access for analyzing skills and MCP servers
- Installation: @modelcontextprotocol/server-github
- Requires: GitHub Personal Access Token
Bright Data MCP Server (Recommended)
- Enables web scraping and Reddit access for community feedback analysis
- Installation: @brightdata/mcp
- Requires: Bright Data API token
- Note: Enable Pro Mode for Reddit scraping
Install and configure these MCP servers following their official installation instructions.
Evaluate the security of agent skills from various sources:
Evaluate this skill: https://github.com/username/skill-repo
Is this skill safe? https://example.com/my-skill.skill
Security assessment for this skill please: [attach .skill file]
The evaluator will:
- Download and extract the skill
- Analyze SKILL.md for prompt injections
- Review scripts for malicious code
- Search community feedback
- Generate comprehensive security report with risk scoring
Evaluate the security of MCP servers:
Evaluate this MCP server: https://github.com/username/mcp-server
Is this MCP safe to use? https://github.com/org/mcp-repo
The evaluator will:
- Analyze repository metadata and activity
- Review code for security vulnerabilities
- Search for alternatives and comparisons
- Gather community feedback (including Reddit with Pro Mode)
- Generate detailed assessment with recommendations
- Prompt injection detection
- Malicious code pattern matching
- Hidden instruction scanning
- Data exfiltration detection
- Community validation
- Risk scoring (0-100 scale)
- Actionable recommendations
- Security vulnerability analysis
- Privacy risk assessment
- Code quality review
- Alternative server discovery
- Community feedback research (Reddit, forums, GitHub)
- Multi-dimensional scoring
- Usability assessment
Skills work without MCP servers but with reduced functionality:
| Scenario | Behavior |
|---|---|
| No GitHub MCP | Uses web scraping for repository access |
| No Bright Data | Uses built-in web search (limited) |
| No Pro Mode | No Reddit scraping, basic search only |
User: "Evaluate this MCP: https://github.com/example/server"
Claude: Uses basic web scraping, can't access private repos,
limited Reddit data, slower analysis
User: "Evaluate this MCP: https://github.com/example/server"
Claude: Direct repo access, full code review, Reddit community
feedback, comprehensive security scan
- Claude Code or Claude Desktop
- GitHub Personal Access Token (recommended)
- Bright Data API token (recommended, for Reddit scraping)