> ## Documentation Index
> Fetch the complete documentation index at: https://docs.golf.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Understanding Results

> How to interpret risk scores, governance classification, and finding categories

Golf Inventory audits every discovered MCP server against 35+ security checks. This page explains how to interpret the results.

## Risk Scoring

Golf Inventory uses the same 0–100 scoring model as the [OSS Scanner](/scanner/understanding-results#how-scoring-works):

1. Each check produces findings with a severity (critical, high, medium, note)
2. Per-check scores are combined using severity-weighted averages
3. Hard caps enforce maximum scores: any **critical** finding caps at 30, any **high** finding caps at 59
4. Risk levels: **Low** (≥60), **Moderate** (>30), **High** (≤30)

See the [Scanner scoring documentation](/scanner/understanding-results#how-scoring-works) for the full algorithm.

## Governance Classification

Every discovered server is classified into one of three governance states:

| Classification | Description                                                                                                                                                      |
| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Proxied**    | Server URL matches a Golf Gateway upstream. Traffic flows through the gateway, enabling threat detection, audit logging, rate limiting, and PII scrubbing.       |
| **Known**      | Server exists in Control Plane configuration (assigned to a gateway or added as a known server), but the employee connects directly, bypassing gateway controls. |
| **Shadow**     | Not configured in Control Plane at all. Unmanaged and ungoverned — no visibility into what data flows through it.                                                |

## Finding Categories

Findings are organized into 12 categories:

| Category                 | Description                                                                    |
| ------------------------ | ------------------------------------------------------------------------------ |
| NHI exposure             | Non-human identity credentials exposed in configuration                        |
| Credential access        | Plaintext credentials in arguments, URLs, or environment variables             |
| Vulnerable packages      | Known CVEs or malware in npm/PyPI packages                                     |
| Typosquatting risk       | Package names similar to known packages — possible supply chain attack         |
| Toxic combinations       | Dangerous combinations of capabilities (e.g., read secrets + external network) |
| Prompt injection         | Tool descriptions containing injection patterns                                |
| Command injection        | Shell injection metacharacters or dangerous command patterns                   |
| Authentication risk      | Missing or weak authentication on public servers                               |
| Unsandboxed              | Server running without container isolation or restrictive permissions          |
| Outdated/unmaintained    | Archived repositories, low adoption, or missing source code links              |
| Capabilities not fetched | Server capabilities have not been retrieved yet                                |
| Custom server            | Server not found in any registry — requires manual review                      |

## Platform Checks

The platform extends the OSS Scanner's 20 checks with additional analysis:

### Sandbox Analysis

Server source code is executed in an isolated cloud sandbox. The analysis examines:

* Dependency tree and count
* External domains the server communicates with
* Secrets embedded in source code
* Overall risk profile

Results are returned as severity levels from CRITICAL (deny recommendation) to NOTE (low risk).

### Capability Analysis

All server tools, prompts, and resources are analyzed for holistic risk assessment. The analysis produces per-tool assessments across seven risk categories (see below).

### Tool Description Injection Detection

Tool descriptions and input schemas are analyzed for prompt injection patterns:

* Prompt override instructions
* Data exfiltration instructions
* Cross-tool manipulation
* Obfuscation techniques (ANSI codes, zero-width characters, bidirectional text)

### Description Change Detection (TOFU/Rug-Pull)

A trust-on-first-use (TOFU) system that establishes baseline hashes for tool descriptions on the first scan. Subsequent scans compare against the baseline and flag any changes — detecting rug-pull attacks where a tool description is modified after initial trust.

## Seven Risk Categories

Capability analysis produces assessments across seven risk categories:

| Category              | Description                                                                           |
| --------------------- | ------------------------------------------------------------------------------------- |
| Destructive tools     | Tools that can delete, destroy, or corrupt data                                       |
| Open world access     | Tools with unrestricted external access                                               |
| Sensitive data access | Tools accessing credentials, PII, or financial data                                   |
| Code execution        | Tools executing arbitrary code or shell commands                                      |
| Write operations      | Non-idempotent state changes                                                          |
| Broad scope           | Over-privileged tools with excessively wide permissions                               |
| Toxic combinations    | Dangerous combinations of capabilities (e.g., read secrets + external network access) |

Each category uses severity levels: CRITICAL, HIGH, MEDIUM, or NOTE.