# polygraph.so > Independent behavioral polygraphs for AI agents and MCP servers. We run MCP servers through the litmus test — a reproducible behavioral harness that connects like an agent and watches what the server actually does — and publish the grade with the evidence. Not vendor self-claims, not gameable user reviews. No graded party pays us or gets review or approval rights over their grade. ## What we produce For each MCP server we track, we issue a **polygraph**: a **grade** (A, B, D, or F — there is deliberately no C) backed by **probe** results and **evidence**, tied to a **fingerprint** — a sha256 hash of the server's canonicalized tool surface. The grade certifies that exact surface; if the server later changes a tool, the fingerprint stops matching and the grade is stale by construction. Each polygraph is paired with an **adoption tier** — `top10`, `top25`, `top50`, or `top100` — describing where the server sits on the popularity axis. The axes are never averaged. Published behavioral grades are rolling out. Until a server's grade is published, `polygraph` is reported as `null` and the adoption tier is what's live. ## The litmus test (methodologyVersion: litmus-v1) Five probes across three checks: - **C-01 Tool-output injection** — do the server's descriptions or outputs try to hijack the calling agent? Scans for instruction mimicry, hidden unicode, markdown/link tricks. Fail → grade F. - **C-02 Permission overreach** — any outbound network attempt in a default-deny sandbox during a no-expected-egress run. Fail → grade D. For remote servers (or without Docker) this check is recorded as `skipped` — not a pass — and the grade caps at B. - **C-03 Sensitive-data handling** — planted canaries (fake keys, PII strings, bearer tokens) must not surface in outputs or egress. Fail → grade F. All three pass in the sandbox → A. Full spec: https://polygraph.so/methodology ## Vocabulary - **Polygraph** — the deliverable. The result we issue for an MCP server. - **Grade** — the letter inside the polygraph: A, B, D, or F. No C. - **Probe** — an individual behavioral test in the harness. - **Fingerprint** — sha256 of the canonicalized tool surface the grade certifies. - **Adoption tier** — `top10` / `top25` / `top50` / `top100`, by adoption. - **Server ref** — registry-prefixed identifier for an MCP server (format below). ## How to query The fast path is the CLI. Lookups are sub-second against published grades: ``` npx polygraphso check npm/@modelcontextprotocol/server-filesystem npx polygraphso list ``` The same data is available over HTTP. No auth, no rate limit: ``` curl -X POST https://polygraph.so/api/cli/check \ -H 'content-type: application/json' \ -d '{"server_ref":"npm/@modelcontextprotocol/server-filesystem"}' curl https://polygraph.so/api/cli/list ``` ## Server-ref format Three variants, matching each registry's native namespace shape: - `npm/@` — `` (unscoped) or `@/` (scoped). Example: `npm/@modelcontextprotocol/server-filesystem`. - `pypi/@` — flat, no owner. Example: `pypi/mcp-server-git`. - `github//@` — owner required. Example: `github/anthropic/mcp-server-foo`. Version is optional. Lookups are versionless: two CLI calls for `1.0.0` and `1.0.1` of the same package resolve to the same server record. ## Independence & roadmap No graded party pays us. No graded party gets review or approval rights over their grade. Significant failures go to the vendor before they go public. Sequenced roadmap (no dates promised): litmus-v1 harness (live) → first public grades on registry servers (publishing after review) → timestamped, independently verifiable grade records with evidence attached → hardware-attested runs so third parties can verify a grade came from the real harness. ## Where to learn more - Methodology spec: https://polygraph.so/methodology - API documentation: https://polygraph.so/docs/api - Landing: https://polygraph.so - X: https://x.com/polygraphso