How the quality score works

Every server gets a 0–100 score computed from public metadata. Every point is itemized on the server's page — nothing is editorial, nothing is pay-to-win. This page is generated from the same rubric constants the scorer runs on, so it can't drift from the implementation.

What we don't do (v1): we never execute third-party server code — scoring is 100% static analysis of public metadata (GitHub API, the official MCP Registry, npm/PyPI download stats, README text). Sandboxed runtime vetting is on the roadmap and will be labeled separately when it ships. A high score is a hygiene signal, not a security audit.

The four pillars (100 points total)

PillarWeightWhat it measures
Maintenance30How recently the repository was pushed; archived repos score zero
Adoption25GitHub stars (log scale) and package downloads over the last month
Documentation25README depth, install instructions, documented tools, working examples
Trust signals20License, first-party vendor status, verified registry namespace, org ownership

Maintenance (30 pts)

Based on the most recent push to the default branch. Archived repositories score 0 regardless of history. Issue-response time is not yet measured (planned for v2).

Last pushWindowPoints
Pushed within 14 days≤ 14 days30 pts
Pushed within 45 days≤ 45 days26 pts
Pushed within 4 months≤ 120 days18 pts
Pushed within 8 months≤ 240 days11 pts
Pushed within 12 months≤ 365 days5 pts
No push for over a year365+ days2 pts

Adoption (25 pts)

Stars are scored on a log scale — min(1, log10(stars+1) / log10(20001)) — worth up to 15 points, so 20k+ stars maxes out the scale and small-but-solid servers aren't buried. Package downloads over the last month (npm + PyPI, log scale up to 1M) are worth up to 10 points. Servers that don't publish a package (remote-only servers, for example) have their star score scaled to the full 25 points instead — missing download data is not penalized.

Documentation (25 pts)

We analyze the README as plain text (never rendered, never executed):

SignalPoints
Comprehensive README (6,000+ chars)10 pts
Substantial README (2,500+ chars)8 pts
Basic README (1,000+ chars)5 pts
Minimal README (300+ chars)2 pts
README missing or trivial0 pts
Install / setup instructions present6 pts
Tools / capabilities documented5 pts
Code or client-config example present4 pts

Trust signals (20 pts)

SignalPoints
OSS license declared (any SPDX-recognized license)7 pts
First-party vendor implementation (e.g. modelcontextprotocol, cloudflare, stripe)5 pts
DNS-verified custom-domain namespace in the MCP Registry3 pts
Published to the official MCP Registry3 pts
Owned by a GitHub organization (vs. personal account)2 pts

Grades

A ≥ 85 · B ≥ 70 · C ≥ 55 · D ≥ 40 · E < 40. Servers scoring 70+ carry the “Vetted” tag.

Data sources & cadence

GitHub Search API (top repositories tagged mcp-server, by stars), the official MCP Registry (packages, remotes, verified namespaces), npm and PyPI download statistics, and raw README text. Scores are recomputed on every crawl; the current dataset was audited on 2026-07-03.

Featured placement

Featured slots are paid, clearly labeled, and have zero effect on scores — the rubric above is the only thing that moves a score. Corrections or disputes: hello@mcp-vetted.com.