> cat /research

State of MCP Security

An open look at what MCP servers can actually do — and what that means for AI agent security.

Data cached daily · last computed: —

What this is

MCP servers are the plugin layer for AI agents — except a plugin here isn't just code you import. It hands an agent your shell, filesystem, browser, APIs, database, Slack, GitHub, wallet, email, cloud. A normal npm package can't rm -rf your prod. An MCP server with a run_command tool absolutely can.

dangerous ≠ malicious. A DevOps MCP needs shell. A wallet MCP touches crypto — that's the job. The question isn't "is it evil?" — it's "does what this thing can do match what it claims, and is that power guarded?"

Before installing, your signals are stars, a README, and vibes. None tell you if it execs shell, reads .env, touches keys, or ships tool descriptions that reprogram your agent. MCP-INDEX is the observability layer that does— before you plug this in, here's what it can actually do.

Methodology

We crawl GitHub with multiple keyword queries, classify via heuristic file-tree analysis, then run two-phase LLM analysis (purpose detection + vulnerability auditing) plus a regex IOC scan over source files.

Loading data...

total findings · but findings cluster — one repo can throw ten. Counted by repo: have any finding (%). Only repos (%) have a critical issue. The bulk is medium/low — worth knowing, not "everything is on fire."

Exploitable vs. inherent

This is the key distinction. Not every "finding" is a bug to panic about. Some are genuinely dangerous. Others are inherent to what an MCP server is.

Exploitable — for real

Unauthenticated shell exec, arbitrary code exec, credential exposure, file write, secret leakage, destructive actions. If a repo has one of these, the attack isn't theoretical — the capability is sitting in code, wired and callable.

Inherent attack surface

SSRF potential, excessive capability scope, missing input validation, prompt injection surface. Mostly a consequence of what an MCP server is. Flagging "prompt injection surface" on an MCP server is like flagging "accepts HTTP" on a web server — true, inherent, worth knowing.

The honest takeaway: the ecosystem isn't "95% hacked." Most findings are inherent surface. The smaller exploitable core has genuinely dangerous issues. That's the real story.

Indicators

Indicators describe what the code does, not a verdict. A 'telegram' match means it talks to Telegram — could be C2, could be legit alerts. 'crypto-wallet' is a context tag (crypto-related code, not a risk indicator). We point; we don't guess.

rsa-key0Private key material in the source — BEGIN PRIVATE KEY, id_rsa, SSH key paths. A private key in a repo is a private key in everyone's repo. Rarely legitimate.

hex-blob0A long hex-encoded blob in the code. Sometimes a legit binary constant, often where packed payloads and shellcode like to hide. Worth a look.

xor0XOR against a key — data[i] ^ key[i % len], a named xor function. The classic cheap obfuscation/decode primitive. Legit crypto uses real libraries; XOR-with-a-key in raw code is a payload-decode tell.

telegram0Code talking to Telegram's bot API. Could be legit alerting, could be a dead-drop C2 channel — Telegram bots are a known exfil/command path. We point; you check the context.

webhook0Outbound to Discord/Slack webhooks. Usually notifications. Occasionally a quiet exfil channel that blends into normal traffic. Same deal — depends on what's flowing through it.

pastebin-ipfs0References to pastebin, IPFS, or similar external content stores. Fine for sharing snippets; also where second-stage payloads and config get parked. Unusual enough in an MCP server to flag.

crypto-wallet0The repo works with crypto — Solana, Ethereum, wallets, RPC endpoints, market data. This is a context tag, not a warning: a crypto MCP using crypto is doing its job. It's here so you know the server touches financial primitives, which raises the stakes if anything else is off.

Conclusions

Tool poisoning is real in research and PoCs — postmark-mcp (Sept 2025), Smithery registry compromise (Oct 2025), Invariant's WhatsApp exfil PoC — but at our scale it's still demos and honeypots. Zero covert cases in repos with real traction. The attack is documented; it isn't deployed at scale yet.

The material risk today isn't covert malware. It's legitimately dangerous, insecure capability — MCP servers that exec shell, run code, or expose creds with no auth. If one gets supply-chain compromised the way postmark did, the dangerous capability is already sitting there, pre-installed and trusted.

The surface is real, the numbers are real, and the honest picture — a few genuinely dangerous servers, many inherently powerful ones, zero covert campaigns — is more useful than fear. We'll keep counting. You keep verifying.

Data refreshed daily · INDEX · EXPLORE · METHODOLOGY

◆ State of MCP Security

◆What this is

◆Methodology

◆Exploitable vs. inherent

Exploitable — for real

Inherent attack surface

◆Categories

◆Indicators