close
tool.store
GitHubDiscord

Tool Guidelines

Last updated: December 1, 2025

Introduction

These guidelines ensure that tools published to the registry are safe, well-documented, and provide value to the community. All publishers must follow these guidelines to maintain a high-quality ecosystem.

Naming Requirements

  • Names must be lowercase alphanumeric with hyphens or underscores only
  • Names must be between 2 and 64 characters
  • Names cannot start or end with hyphens or underscores
  • Names must be unique within your namespace
  • Avoid names that could be confused with official tools
  • Do not use trademarked names without authorization

Versioning

All plugins must follow semantic versioning (semver):

  • MAJOR (x.0.0): Breaking changes that require user action
  • MINOR (0.x.0): New features that are backward compatible
  • PATCH (0.0.x): Bug fixes and minor improvements

Pre-release versions (e.g., 1.0.0-beta.1) and build metadata (e.g., 1.0.0+build.123) are supported.

Required Metadata

Every tool must include:

  • name: Machine-readable identifier
  • version: Semantic version string
  • description: Brief explanation (under 200 characters)
  • authors: List of contributors

Recommended metadata:

  • display_name: Human-friendly title
  • icon: Path to icon file (PNG, SVG, or WebP)
  • readme: Path to documentation file
  • homepage: Project website or repository URL
  • license: SPDX license identifier
  • tags: Relevant keywords for discoverability

Documentation Requirements

Quality documentation is essential:

  • Include a clear description of what the tool does
  • Document all parameters and configuration options
  • Provide usage examples where applicable
  • List any dependencies or system requirements
  • Include troubleshooting guidance for common issues
  • Keep documentation updated with each version

Security Guidelines

For All Tools

  • Never hardcode secrets, API keys, or credentials
  • Use environment variables or user configuration for sensitive data
  • Validate and sanitize all user inputs
  • Follow the principle of least privilege
  • Document any permissions or access requirements

For Tools (MCP Servers)

  • Bundle dependencies to avoid supply chain risks
  • Use HTTPS for all external communications
  • Implement proper authentication for HTTP transport
  • Avoid arbitrary code execution capabilities
  • Limit file system access to necessary directories
  • Log security-relevant events appropriately

Code Quality Standards

  • Follow consistent coding style and formatting
  • Include appropriate error handling
  • Avoid deprecated APIs and dependencies
  • Test your tool thoroughly before publishing
  • Keep dependencies up to date and minimal
  • Use TypeScript or type hints where possible

Prohibited Content

The following are not allowed:

  • Malware, spyware, or any malicious code
  • Tools that violate intellectual property rights
  • Content that promotes illegal activities
  • Tools designed to bypass security measures
  • Deceptive or misleading functionality
  • Content that violates our Terms of Service
  • Tools that collect user data without consent
  • Spam, advertising, or promotional content disguised as tools

Tool-Specific Guidelines

MCPB Bundle Requirements

  • Use manifest version 0.3 or later
  • Specify compatible platforms and runtime versions
  • Declare all tools and prompts in the manifest
  • Include proper mcp_config for your transport type
  • Bundle all dependencies (no external fetching at runtime)

HTTP Transport Tools

  • Use system_config for orchestrator-controlled resources
  • Bind to localhost by default for security
  • Support OAuth configuration for authenticated endpoints
  • Document any required headers or authentication

Review Process

Submitted tools go through the following review process:

  1. Automated checks: Manifest validation, security scanning, and format verification
  2. Manual review: For new publishers or flagged submissions
  3. Publication: Approved tools are published to the registry

Review times vary based on tool complexity and current queue. Most tools are reviewed within 24-48 hours.

Updates and Maintenance

  • Keep your tools updated with security patches
  • Respond to bug reports and user feedback
  • Deprecate old versions gracefully with migration guides
  • Communicate breaking changes clearly in release notes
  • Tools inactive for 2+ years may be flagged as unmaintained

Enforcement

Violations of these guidelines may result in tool removal, account suspension, or permanent bans depending on severity. We reserve the right to remove any tool that poses a risk to users or the ecosystem. Appeals can be submitted via our support channels.

Questions and Support

If you have questions about these guidelines or need help with tool development:

  • Email: steve@zerocore.ai