// Review MCP server specifications and updates for compliance, security, and quality. Use when evaluating server.json files, PRs adding/updating servers, or assessing MCP server changes. NOT for creating new entries (use add-mcp-server instead).
| name | mcp-review |
| description | Review MCP server specifications and updates for compliance, security, and quality. Use when evaluating server.json files, PRs adding/updating servers, or assessing MCP server changes. NOT for creating new entries (use add-mcp-server instead). |
| allowed-tools | Read Grep Glob Bash WebFetch |
You are an expert reviewer for the ToolHive Registry. Evaluate server.json files and MCP server submissions for spec compliance, security, registry inclusion criteria, and completeness.
For detailed field specs, see server-json-spec.md. For full registry inclusion criteria, see registry-criteria.md and server-criteria.md.
Determine what you're reviewing:
Read the server.json and check, in order:
packages (container) or remotes (remote)?$schema, name, description, title, version, repository, icons_meta key must exactly equal packages[0].identifier or remotes[0].urltier, status, tools, overview all present and validicons array present with correct icon.svg URL## Title\n\n followed by 3-5 sentencesmetadata.* or tool_definitions present in new submissions"remote"; oauth_config present if OAuth requiredtransport.url present when type is streamable-httpRun task catalog:validate to catch schema-level issues.
Must verify:
latest)isSecret: true in environmentVariablespermissions (users configure mounts at runtime)insecure_allow_all: true unless justified (e.g., fetch servers)For new servers, assess the source repository against registry inclusion criteria. See server-criteria.md for the full checklist and verification commands.
Critical checks (use gh CLI, GitHub MCP tools, or WebFetch — whichever is available):
.github/dependabot.yml) OR Renovate (renovate.json, .renovaterc, .renovaterc.json, .github/renovate.json)SECURITY.md.github/workflows/ contents; confirm CI runs and passesInclusion criteria summary:
| Category | What to Check |
|---|---|
| Open source | Public repo, permissive license (Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause) |
| Security | Provenance, pinned deps, security scanning, sensitive info handling, no known CVEs, SECURITY.md |
| Quality | CI present, tests exist, linting, code review practices |
| Stability | Semver tags, low breaking change frequency, backward compat |
| Releases | CI-based automation, regular cadence, changelog maintained |
| Documentation | README with setup, tool docs, deployment guidance |
| Community | Issues responded within 3-4 weeks, active development, contributor diversity, org backing |
| MCP compliance | Protocol support, appropriate transport type |
For updates to existing entries:
packages[0].identifier AND _meta extension keyFocus review on changed aspects, not full re-review.
## MCP Server Review
**Server**: <name>
**Type**: Container / Remote
**Repository**: <url>
**Verdict**: APPROVE / REQUEST_CHANGES / REJECT
---
### Inclusion Criteria
| Criteria | Status | Notes |
|----------|--------|-------|
| Open Source | Pass/Fail | |
| License | Pass/Fail | <license> |
| Security Practices | Pass/Fail | |
| Code Quality | Pass/Fail | |
| Stability | Pass/Fail | |
| Documentation | Pass/Fail | |
| Community | Pass/Fail | |
### Spec Compliance
| Check | Status | Notes |
|-------|--------|-------|
| Required top-level fields | Pass/Fail | |
| Package/Remote config | Pass/Fail | |
| Extension key match | Pass/Fail | |
| Transport valid | Pass/Fail | |
| Icons present | Pass/Fail | |
| Overview format | Pass/Fail | |
| Tools listed | Pass/Fail | |
| No auto-populated fields | Pass/Fail | |
| Tags (remote tag if applicable) | Pass/Fail | |
### Security Review
- [ ] Image tag pinned (not `latest`)
- [ ] Secrets marked `isSecret: true`
- [ ] No filesystem paths in permissions
- [ ] Network permissions scoped
- [ ] Extension key matches identifier/URL
- [ ] Provenance configured
### Findings
**Issues (must fix):**
1. ...
**Suggestions (optional):**
1. ...
---
### Validation
Run `task catalog:validate` to verify spec compliance.
| Situation | Action |
|---|---|
| Repository is private or inaccessible | Note it — cannot verify inclusion criteria; ask submitter for access or evidence |
| License file missing or ambiguous | Request clarification; do not assume permissive |
gh CLI errors or rate-limited | Fall back to WebFetch for README; note what couldn't be verified |
task catalog:validate fails | Report the exact error; it must pass before approval |
| Unclear whether server needs OAuth | Check the upstream README/docs for auth requirements |
| Provenance info unavailable | Flag as missing — expected for all servers per registry criteria |
| Field | Options |
|---|---|
| Tier | Official, Community |
| Status | Active, Deprecated |
| Transport | stdio (containers only), streamable-http (preferred for HTTP), sse (legacy) |
| Accepted licenses | Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause |
| Rejected licenses | AGPL-3.0, GPL-2.0, GPL-3.0, LGPL-* |
task catalog:validate # Validate all entries
task catalog:build # Build registry
jq '.servers["<name>"]' build/toolhive/registry.json # Check container entry
jq '.remote_servers["<name>"]' build/toolhive/registry.json # Check remote entry
Review skill submissions and updates for compliance, security, and quality. Use when evaluating skill.json files, SKILL.md content, PRs adding/updating skills, or assessing skill changes in the ToolHive registry. NOT for reviewing MCP server entries (use mcp-review) or creating new skills (use add-mcp-server).
Audit and harden GitHub Actions workflows against prompt injection, pull_request_target exploits (Pwn Requests), expression injection, cache poisoning, credential theft, and supply chain attacks. Based on Clinejection and hackerbot-claw campaigns. Use when reviewing CI/CD security, securing AI agent workflows, hardening publishing pipelines, or checking for GitHub Actions misconfigurations. Also covers slash command authorization, CLAUDE.md protection, and network egress. NOT for general CI/CD optimization or non-security workflow issues.
Reviews pull requests by analyzing code changes, checking for common issues, and providing structured feedback with suggestions.
Guide for creating effective skills. Use when users want to create a new skill, update an existing skill, build a slash command, or extend agent capabilities with specialized knowledge, workflows, tool integrations, or custom commands.
Add new MCP server entries to the ToolHive registry. Creates server.json and icon.svg files with correct schema, _meta extensions, and validation. Use when adding a server, creating a registry entry, onboarding an MCP server, or writing server.json. NOT for reviewing existing entries (use mcp-review).