Methodology
This is the full, public version of the rubric Interrupt Index scores against — every number below is imported directly from the same source code the scoring engine runs, so this page can’t quietly drift out of sync with real scores.
The headline: Overall LLM-Friendliness (Composite)
The big number on every tool page, in the directory, and on the category leaderboards is the Overall LLM-Friendliness score — a composite of the two things that decide whether an agent can actually use a tool: how much it forces a human into the loop (the Interrupt Score) and how machine-legible it is (the Machine-Readability Score). It is a flat, uniform 50/50 mean:
Overall = round( (Interrupt Score + Machine-Readability Score) / 2 )
The split is a deliberate flat mean for every listing — the same weighting whether a tool is one your agent runs on or one it visits — rather than a per-usage-mode weighting, so the headline stays a single, comparable number that nobody can accuse of being tuned per category. When either input hasn’t been measured yet, there is no composite and the listing reads “not yet scored.”
The badge is set by the Interrupt Score alone — not the composite
This is the important separation. The Interrupt Score and its badge (Zero- / Low- / Moderate- / High-Interrupt, Blocked) are computed exactly as before — the interrupt algorithm is unchanged (rubric v2026.1), including every disqualifier that can force regardless of the number. The composite is a presentation layer laid on top (site scoring presentation v2026.2): it sets the headline, but it never touches the badge and Machine-Readability never enters the interrupt metric or the badge. So a tool with a great API but a per-transaction bot-wall still reads Blocked on its seal even if its composite is middling — the seal tells you whether an agent can get through; the composite tells you how pleasant the whole surface is.
What counts as an interrupt
An interrupt is any point in a tool’s flow where a human must act before an otherwise-autonomous agent can proceed — a CAPTCHA, an email/SMS code, a “contact sales” wall, a terms-of-service clause banning bots, a forced redirect to finish somewhere else. Every finding our probes record is tagged along four independent axes:
| Axis | Values | What it captures |
|---|---|---|
| Timing | setup / ongoing / per_transaction | How often the operator eats the cost. |
| Hardness | soft / hard | Whether the agent can ever get past it alone. |
| Type | see taxonomy below | What kind of interrupt it is. |
| Tier / evidence quality | T0 / T1 / T2 / D (documented) | How the finding was obtained. |
Two things are deliberately kept out of this score and reported as separate companion signals instead — machine-readability quality and custody/risk posture. See Companion signals below for why, and how each is computed.
The interrupt taxonomy
Base weight is a 0–10 scale for how disruptive one instance of that interrupt type is, independent of how often it recurs — recurrence is handled separately by the timing multiplier below. The “typical” timing and hardness columns describe common real-world patterns; the actual timing/hardness used in scoring always comes from the specific finding a probe recorded, not from this table.
| Type | Base weight | Typical timing | Typical hardness | Typical detecting tier |
|---|---|---|---|---|
| CAPTCHA / bot-challenge | 6 | Setup or per-transaction (location-dependent) | Hard | T0 / T1 / T2 |
| Email OTP verification | 4 | Setup (usually) | Hard* | T1 / T2 |
| SMS / phone OTP verification | 5 | Setup or ongoing | Hard | T1 / T2 |
| Mandatory phone verification call | 7 | Setup or ongoing | Hard | T1 / T2 |
| Mailed physical code (postal) | 8 | Setup | Hard | T1 / T2 |
| “Contact sales” wall (no self-serve path) | 9 | Setup | Hard | T0 / T1 |
| Manual approval queue | 6 | Setup or ongoing | Hard | T1 / T2 |
| ToS clause banning automated/bot access | 9 | Per-transaction** | Hard | T0 |
| Mandatory redirect to vendor’s own site | 4 | Setup or per-transaction (location-dependent) | Soft | T1 / T2 |
| SSO-only signup, no API-key issuance | 5 | Setup | Hard | T1 |
| Rate-limit-triggered manual review | 3 | Ongoing | Hard | T1 / T2 |
| One-time account / payment-method provisioning | 2 | Setup | Soft | T1 |
| Identity / KYC verification | 6 | Setup | Hard | T0 / T1 |
| Crypto wallet / key-custody setup | 3 | Setup | Soft | T1 |
* Email OTP is scored hard by default because a bare API/browser agent has no inbox access; an operator with an email-reading tool available would soften this in a per-deployment override, not in the base rubric. ** ToS bans are tagged per_transaction because the prohibition applies to every future attempt, not a single mechanical step — combined with the disqualifier rule below, this is what sinks a tool’s badge regardless of its numeric score.
Timing and hardness are properties of the finding, not the type: the same type (a CAPTCHA, a redirect-to-vendor) can appear at signup (setup, usually softer) or at every checkout (per_transaction, much worse). The probe records where in the flow it occurred — the multiplier tables below are what actually encode “recurring is much worse than one-time.”
How much each interrupt costs: the multiplier tables
Every finding’s penalty is base weight × timing × hardness × evidence quality. Three independent multiplier tables:
Timing
| Timing | Multiplier |
|---|---|
| One-time (setup) | ×1 |
| Ongoing / threshold-triggered | ×3 |
| Every transaction | ×8 |
per_transaction (8×) vs. setup (1×) is the single biggest lever in the formula — it directly encodes “paid every use is much worse than paid once and amortized.” ongoing (3×) sits in between because it doesn’t hit every transaction but does recur indefinitely (fraud step-ups, rate-limit escalations).
Hardness
| Hardness | Multiplier |
|---|---|
| Soft — still automatable | ×1 |
| Hard — blocks the agent | ×2.5 |
hard (2.5×) vs. soft (1×) encodes “cannot proceed at all” vs. “slower but still automatable.”
Evidence quality (probe tier)
| Tier | Multiplier |
|---|---|
| T0 — passive/static | ×0.6 |
| T1 — unauthenticated interaction | ×0.8 |
| D — documented (public-record evidence, no live probe) | ×0.85 |
| T2 — real signup/checkout attempt | ×1 |
A Tier-0 heuristic (regex over ToS text, a homepage challenge that might be unrelated to signup) is discounted relative to a live Tier-2 observation, which is ground truth. Documented evidence (strong public-record evidence of real end-to-end behavior, without our own probe run) sits between T1 and T2.
The scoring algorithm, in plain words
- Start at 100.
- Deduplicate. If more than one probe tier flags the same underlying interrupt (same type and same location in the flow — e.g. Tier 0 and Tier 1 both catching the same CAPTCHA, or a re-probe), only the highest-tier (most trustworthy) finding counts toward the score. Lower-tier duplicates are kept and shown as corroborating evidence, but excluded from the sum — they are never triple-penalized.
- Sum weighted penalties. For each surviving finding, subtract
base weight × timing × hardness × evidence qualityfrom the running score. - Clamp to 0–100 — a tool can’t score below 0 or above 100.
- Compute confidence from which probe tiers actually ran (see Confidence below).
- Compute the badge — disqualifiers are checked first, independent of the numeric score; only if none apply do the score bands decide (see Badge tiers below).
Badge tiers
| Badge | Score band | Additional requirement | Disqualifiers (override band regardless of score) |
|---|---|---|---|
| 95–100 | No hard-blocker finding of any timing (including setup-time) and confidence = Verified (Probed) — a real Tier-2 transaction completed end-to-end with zero forced human touch. | — | |
| 80–94 (or 95–100 failing the Zero-Interrupt gate above) | — | — | |
| 50–79 | — | — | |
| 20–49 | — | — | |
| 0–19 | — | A confirmed ToS bot-ban (T0), or contact-sales-only (no self-serve path at any price), or any hard finding with per_transaction timing. |
Why disqualifiers override the score
A tool could theoretically have a low score from minor accumulated friction but no single catastrophic blocker — that’s genuinely “moderate,” and the number should say so. But a tool with an explicit contractual ban on bots, or a CAPTCHA on literally every checkout, is categorically unusable for an autonomous agent regardless of how clean everything else is — no averaging should be able to dilute that into a passing grade. That’s why the three disqualifiers above (ToS bot-ban, contact-sales-only, any hard per_transaction finding) are checked first, before the score bands are even consulted, and force outright. A setup-time hard blocker (KYC, a manual approval queue) does not force Blocked, but it does structurally prevent Zero-Interrupt — it caps a tool at Low-Interrupt no matter how high the number is.
Confidence: how sure are we?
Every score ships with a confidence label reflecting how the evidence behind it was gathered:
| Label | What it means |
|---|---|
| Verified (Probed) | A live Tier-2 agent session completed the flow end to end. |
| Verified (Partial) | A live Tier-2 session ran but stopped early at a detected hard blocker — verified up to that point, unknown beyond it. |
| Verified (Documented) | Backed by strong public-record evidence of real end-to-end behavior, without our own live probe run. |
| Provisional | Based on Tier 0/1 evidence only (passive checks, no live transaction attempt) — treat the number as a triage signal, not a verified outcome. |
Staleness decay: flows change — ChatGPT Instant Checkout itself flipped models within about six months. Confidence decays 0.15 for every 90 days since the last probe, floored at 0.20, so a score that hasn’t been rechecked in a while is shown as progressively less certain even if the badge hasn’t changed.
Probe tiers — how the evidence is gathered
| Tier | What it does |
|---|---|
| T0 — passive/static | robots.txt and agent-manifest checks, terms-of-service scanning, challenge-page detection. No interaction with the vendor at all. |
| T1 — unauthenticated interaction | Form and signup-flow inspection, without ever creating an account. |
| T2 — real signup/checkout attempt | A live agent session attempts a real signup and purchase end-to-end. Run only against vendors that welcome non-human traffic — Tier 2 is never attempted against a vendor that has already signaled bots aren’t welcome (an explicit ToS bot-ban, or any bot-prohibition signal for a vendor not already listed in an agent-commerce protocol). This gate runs before Tier 2 is even attempted, not just as a weighting after the fact. |
| D — documented | Strong public-record evidence of real end-to-end behavior (e.g. widely reported product behavior), entered without our own live probe run. |
Companion signals (displayed, never scored)
Two things affect how usable or trustworthy a tool is without being a “forced human intervention” in the sense the Interrupt Score measures. Both are shown on every tool page, but neither ever adjusts the score or badge above.
Machine-Readability Score
A separate 0–100 number covering how easy the integration itself is: presence of an OpenAPI spec, an llms.txt/agent-manifest, documented rate-limit headers, and structured error-response quality. Its absence doesn’t force a human into the loop, so it doesn’t belong in a metric literally defined as forced human intervention — but it’s still useful, so we report it alongside every score. Where a probe recorded a per-check breakdown, each individual check (pass/fail/not-checked) is shown on the tool page; hand-seeded demo listings show the score only.
Every machine-readability check carries an evidence grade — our own honesty label for how strong the real-world evidence is that the signal changes agent behavior. Proven: measured consumption or controlled-experiment effect (e.g. retrieval fetchers honoring robots.txt; AI fetchers not executing JavaScript). Plausible: a strong mechanism or documented failure mode, but no direct measurement (e.g. accessibility-tree semantics for browser agents, MCP servers). Emerging: publisher adoption is growing but no production agent consumes it yet — llms.txt is the canonical case: adoption grew ~8.8x in twelve months, yet a May 2026 log study across 137,000 domains found 97% of llms.txt files received zero requests. We keep scoring emerging standards (they are cheap to publish and adoption trajectories can flip fast — we only retire a check when its standard is dead, deprecated by its own steward, as ai-plugin.json was in 2024), but we label them honestly, and the grade never weights the score — the same posture as the T0/T1/T2 confidence tiers on the interrupt side. This model (machine-readability v3) also retired the ai-plugin.json check: OpenAI plugins were deprecated in 2024, and a review site scoring a dead standard would be exactly the failure mode these grades exist to prevent.
Custody / Risk Flag
custodial / non_custodial / not_applicable / unknown — whether a vendor holds funds/assets on the operator’s behalf. This is a risk dimension, not a friction dimension: a tool can have zero interrupts and a custodial ledger with no spend cap, or zero interrupts and non-custodial guarantees — conflating the two would corrupt the Interrupt Score itself, so it’s reported separately and rendered immediately adjacent to the badge on every tool page — never just linked from a methodology page — so a Zero-Interrupt badge is never mistaken for a safety endorsement it was never meant to make.
| Flag | Meaning |
|---|---|
| Custodial | Funds/assets pass through and are held by this vendor. A risk signal, not a friction signal — a tool can be Zero-Interrupt and custodial at the same time. |
| Non-custodial | The operator (or its agent's wallet) retains custody directly — no intermediary ever holds funds. |
| Not applicable | This tool doesn't involve holding funds or assets, so custody risk doesn't apply. |
| Unknown | Custody posture hasn't been assessed yet. |
Two things we want to be upfront about
“Not tested” is not the same as “clean”
A listing with no Tier 2 consent has zero Tier 2 findings by definition — that must never be read as “no Tier 2 interrupts found.” A check only turns green on a tool page when a probe tier capable of detecting that interrupt type actually ran and found nothing; if no capable tier has run yet, it renders as “not yet tested,” visually and textually distinct from a clean pass. The same principle is why every tool page carries an explicit “Tier 2 not tested” banner when no live signup/checkout attempt has run, rather than silently presenting the absence of Tier 2 findings as a passing signup flow.
The bar for Blocked is lower than the bar for Zero-Interrupt
Zero-Interrupt requires the strongest evidence we collect: a completed, verified Tier-2 transaction (confidence label Verified (Probed)). Blocked, by contrast, can be assigned on strong static evidence alone — a Tier-0 ToS-ban match is enough to send a tool to Blocked even at only Provisional confidence (0.55), because our own ethics-gating rule categorically forbids ever running Tier 2 against a vendor that has already signaled bots aren’t welcome. This creates a real, structural asymmetry: the worst tools on the site can never earn Verified (Probed) confidence, because attempting to verify them is exactly what our probe’s own hard stop-rule forbids. We think this tradeoff is correct — deliberately trying to complete a purchase against a vendor that has told us bots aren’t welcome would be a bad idea, not a rigor upgrade — but it means “Blocked” and “Zero-Interrupt” sit on genuinely different evidentiary bars, and we’d rather say that plainly than leave it implicit in a confidence number most people skim past.
For how we make money and what a vendor can and can’t influence, see How we make money.