Context Determines the Threshold
A security grade of C might be perfectly fine for an MCP server you're using on a personal side project to query a local SQLite database with no sensitive data. The same C grade would be inappropriate for a server handling customer PII in a production environment.
The security threshold should match the risk. What data does the tool access? What actions can it take? Who's affected if something goes wrong? These questions determine whether you need an A, a B, or whether a C is acceptable.
Low-Risk Use Cases (C or above)
Personal projects, learning experiments, and tools that access only public data have low risk profiles. If the worst case scenario is "my personal project behaves unexpectedly," a C-grade tool is often fine. The security concerns flagged at grade C (maybe some outdated dependencies, slightly slow maintenance) are unlikely to cause real harm in these contexts.
Medium-Risk Use Cases (B or above)
Team development environments, staging systems, and tools that access internal (but not regulated) data warrant B-grade tools. These environments contain information that shouldn't leak but wouldn't cause regulatory or financial consequences if compromised. B-grade tools have been checked for significant issues and are actively maintained.
High-Risk Use Cases (A strongly preferred)
Production systems, tools handling PII, financial data, or healthcare information should use A-grade tools whenever possible. The stakes are high enough that the extra assurance of a top security grade is worth any limitations in tool selection.
For high-risk cases, supplement the automated security score with manual review. The score catches known issues, but high-risk environments deserve human eyes on the code, the permissions, and the data flow.
When to Accept a Lower Grade
Sometimes the only tool for your use case has a lower grade than you'd prefer. In these situations, consider: Can you mitigate the specific issues the grade reflects? If the grade is low because of an outdated dev dependency (no production impact), the risk might be acceptable. If it's low because of a critical vulnerability in a data-handling library, the risk isn't.
Searching on Skillful.sh lets you filter by minimum security grade. If filtering to A-grade only returns no results for your use case, try B-grade. If B returns options, compare them against the C-grade tool you were considering to see if the higher-graded alternative works for you.