Trust Scoring

Every MCP server deployed through Conduit is scanned for security vulnerabilities, compliance issues, and performance problems. Results are distilled into a trust score and grade used by MLSs to evaluate vendor access requests.

Five scoring dimensions

Category	Weight	What it checks
Security	40%	Tool poisoning, prompt injection, data exfiltration, command injection, path traversal, credential exposure
Compliance	20%	MCP spec adherence, error handling, transport configuration, protocol version
Auth	20%	Authentication mechanisms, TLS configuration, CORS headers, credential storage
Performance	10%	Response latency, error rate, connection stability, throughput
Runtime	10%	Gateway telemetry analysis (requires active Conduit deployment)

Each category scores 0-100. The total score is the weighted sum, rounded to the nearest integer.

Grade scale

A+

95-100

90-94

B+

85-89

80-84

C+

75-79

70-74

60-69

< 60

13 finding categories

tool_poisoningTool descriptions contain hidden instructions or manipulation attempts

prompt_injectionTool outputs or resource contents contain injected prompts

data_exfiltrationTools attempt to send data to unauthorized external endpoints

command_injectionTool parameters allow arbitrary command execution

path_traversalFile operations allow access outside intended directories

credential_exposureSecrets or credentials exposed in tool definitions or responses

auth_weaknessMissing or insufficient authentication/authorization

spec_violationNon-compliance with MCP protocol specification

transport_issueTLS, CORS, or transport configuration problems

performance_issueHigh latency, timeout, or error rate

runtime_anomalyUnusual patterns detected in gateway telemetry

hidden_contentHidden or obfuscated content in tool metadata

cross_server_riskInteractions that could affect other servers or clients

Severity levels

[!!]

critical — Immediate exploitation risk. Server should not be used until resolved.

[! ]

high — Significant security concern. Should be addressed promptly.

[~ ]

medium — Moderate risk. Should be addressed in the next update.

[. ]

low — Minor concern or best practice recommendation.

[i ]

info — Informational. No action required.

Scan process

Scans are triggered on deploy, on schedule (based on plan), or manually:

bash

# Via API
POST /api/servers/:slug/scan

# Via CLI
conduit scan my-server

Scans typically take 10-30 seconds. The scanner connects to your server, discovers tools, analyzes tool definitions and behaviors, and produces findings with scores.

Badge embeds

Display your trust score with embeddable SVG badges in three styles:

Standard

<img src="https://conduitapi.dev/api/badges/{serverId}" alt="Trust Score" />

Compact

<img src="https://conduitapi.dev/api/badges/{serverId}?style=compact" alt="Trust Grade" />

Markdown (for READMEs)

[![Conduit Trust](https://conduitapi.dev/api/badges/{serverId})](https://conduitapi.dev/trust/{serverId})

Next: Data Governance →

←Access Control Data Governance→