The Problem Nobody's Talking About
If you're building with AI agents in 2026, you're probably using MCP. Anthropic's Model Context Protocol has become the standard way for AI agents to interact with external tools โ databases, browsers, file systems, APIs, email.
Here's how it typically works:
- You find an MCP server on npm or GitHub
- You add it to your agent's config
- Your agent now has access to whatever that tool provides
Notice what's missing: there's no verification step. No security review. Maybe you'll get a warning - but there's no way to know if that npm package with 12 downloads from an anonymous author is safe to give terminal access to.
Your agent just goes along with it.
What We Found
We built a scanner that crawls npm, GitHub, and PyPI for MCP-related packages. We found 2,640 tools across these registries. Here's the breakdown of what they can do:
| Capability | Count | Risk Level |
|---|---|---|
| Code execution | 53 | ๐ด Critical |
| Browser automation | 23 | ๐ด Critical |
| File system access | 13 | ๐ด Critical |
| Database queries | 11 | ๐ High |
| Email access | 3 | ๐ High |
| API calls | 25+ | ๐ก Medium |
The majority of these are built by solo developers. Many have minimal documentation, no security audits, and no track record. Some have been published for less than a week.
This isn't a hypothetical risk. An MCP tool with code execution access can:
- Read environment variables (API keys, database credentials, tokens)
- Execute arbitrary shell commands
- Modify or exfiltrate files
- Send data to external endpoints
- Install additional software
And AI agents run these tools automatically, often without human review of each individual action.
The Crypto Parallel
If you were around for DeFi summer in 2020, this should feel familiar. "Just connect your wallet to this random dApp" was the norm. People lost millions before the ecosystem developed security standards, audit firms, and trust signals.
The AI agent ecosystem is speedrunning the same trajectory:
- New tools appearing daily with no review process
- Developers installing packages based on README promises
- No standardized way to verify safety before execution
- Trust based entirely on npm download counts and GitHub stars
We know how this story ends if nothing changes.
Building a Trust Layer
We started asking: what if agents could check whether a tool has been reviewed before running it?
That question became AEGIS Protocol โ an on-chain skill attestation registry deployed on Base (Ethereum L2). Here's how it works:
1. Discovery & Indexing
We continuously scan package registries for new MCP tools. Each discovered tool gets:
- A unique
skillHash(keccak256 of name + source) - Risk surface classification (code-exec, file-access, browser, database, credentials)
- Category tagging
- Metadata stored on-chain as a base64-encoded data URI
2. The Registry
Every indexed skill lives on Base Mainnet as an on-chain record. The registry contract stores:
skillHash โ {
publisher,
metadataURI,
listed (bool),
attestations[],
trustScore (0-100)
}
This isn't a centralized database we control. It's a public, permissionless registry that anyone can query.
3. Attestation Layers
Skills can be audited at three levels:
| Level | Method | What It Covers |
|---|---|---|
| L1 | Automated scan | Dependency analysis, known vulnerabilities, permission scope |
| L2 | Static + dynamic analysis | Code behavior, network calls, file access patterns |
| L3 | Full manual audit | Human security researcher review, edge cases, intent analysis |
Each attestation is an on-chain record signed by the auditor, with their stake backing their reputation.
4. Agent Integration
The end goal is a one-line check before any tool execution:
import { checkTrust } from '@aegisaudit/sdk';
const result = await checkTrust('mcp-server-mysql');
if (result.trustScore < 50) {
console.log('โ ๏ธ Unverified tool โ proceed with caution');
}
No trust assumptions. Cryptographic proof that a tool has been reviewed.
What's Live Today
We've already indexed 233 indie MCP tools on Base Mainnet, classified by risk surface. The registry is live and queryable.
The tools we prioritized for indexing are exactly the ones that need scrutiny:
- Code execution servers โ tools that run arbitrary code
- Browser automation โ tools that control your browser
- Database connectors โ tools with direct SQL access
- File system tools โ tools that read/write your disk
- Credential handlers โ tools that touch API keys and tokens
Each one is on-chain with its risk classification, ready for auditors to review and attest.
The Bigger Picture: Agent Economy Trust
AEGIS isn't just a registry. It's infrastructure for an agent economy where trust is verifiable, not assumed.
The architecture supports four agent roles:
- Scout agents discover and index new tools (this is what we built first)
- Auditor agents review tools and stake their reputation on attestations
- Dispute agents challenge questionable attestations
- Consumer agents query trust scores before running any tool
As the MCP ecosystem grows from thousands to tens of thousands of tools, manual review won't scale. Agents need to be able to verify trust programmatically, and that verification needs to be tamper-proof.
Why On-Chain?
A reasonable question. Why not just build a centralized API?
- Tamper-proof records โ attestations can't be silently modified or deleted
- Permissionless participation โ anyone can become an auditor, no gatekeeping
- Cryptographic accountability โ auditors stake ETH behind their reviews, creating real skin in the game
- Composability โ any framework (LangChain, CrewAI, Claude Code) can integrate the same trust layer
- Persistence โ the registry survives even if our team disappears
We chose Base for low gas costs (~$0.001 per listing) and Ethereum security guarantees.
What's Next
We're building in public. Here's what's coming:
- Trust Badge API โ SVG badges for GitHub READMEs showing audit status
-
Framework integrations โ
aegis-langchain,aegis-crewaimiddleware - Auditor templates โ open-source agents that can perform L1 automated scans
- Trust profile pages โ SEO-optimized pages for every indexed tool
- Consumer SDK โ one-line trust verification for any agent framework
Get Involved
MCP developers: Your tool may already be in our registry. Check at aegisprotocol.tech and request an audit to earn a trust badge.
Security researchers: We're actively looking for auditors. Review MCP tools, stake your reputation, earn attestation fees.
Agent builders: Integrate AEGIS checks into your stack. The SDK is on npm: @aegisaudit/sdk
Everyone else: If you're using MCP tools in production, check what you're running. You might be surprised what has access to your system.
AEGIS Protocol is deployed on Base Mainnet. Registry contract: 0xEFF449364D8f064e6dBCF0f0e0aD030D7E489cCd
aegisprotocol.tech ยท npm: @aegisaudit/sdk ยท Twitter
Tags: #mcp #ai #security #blockchain #agents #web3 #opensource
Top comments (0)