The Model Context Protocol is the connective tissue of the AI agent ecosystem. It's how Claude, Cursor, VS Code Copilot, and hundreds of other AI tools connect to external services, databases, APIs, and local system resources. There are now over 16,000 MCP servers in the wild, and the number is growing by hundreds every week.
We've spent the last several months scanning, analyzing, and probing MCP servers at scale. Our registry at CraftedTrust has indexed 4,275 servers and scored each one across 12 security categories aligned to the CoSAI threat taxonomy. What we found is concerning.
The average trust score for statically analyzed npm packages is 54 out of 100. That's an F.
The problem is structural, not incidental
MCP servers occupy a uniquely dangerous position in the software stack. A traditional API serves data to an application that a developer controls. An MCP server serves data and capabilities to an AI model that reasons about what to do next. The model decides which tools to call, what parameters to pass, and how to interpret results. This means a compromised or poorly built MCP server doesn't just return bad data. It can influence the behavior of the entire agent.
Three categories of vulnerabilities show up repeatedly across the ecosystem.
1. Servers that give agents too much power with too few guardrails
This is the most common pattern. An MCP server exposes a tool that does something dangerous (execute code, navigate a browser, run shell commands, read the filesystem) and relies entirely on the AI model to use it responsibly.
We recently published a critical advisory for chrome-local-mcp, an npm package with 332 weekly downloads that gives AI agents browser automation capabilities. We found three chained vulnerabilities:
Arbitrary JavaScript Execution (CWE-94, Critical): The server exposes an eval MCP tool and an HTTP /eval endpoint that pass user-supplied JavaScript directly to Puppeteer's page.evaluate() with no restrictions whatsoever. Because the browser uses a persistent profile directory that retains login sessions across invocations, an attacker can navigate to any site where the user is logged in and extract document.cookie, localStorage, session tokens, or any DOM content.
SSRF via Unrestricted URL Navigation (CWE-918, High): The navigate tool passes URLs directly to page.goto() with no validation. No scheme allowlist (accepts file://, data:, javascript:), no hostname blocklist (allows 169.254.169.254, localhost, internal IPs), and no port restriction. On cloud-hosted deployments, this enables direct credential theft from instance metadata endpoints.
Unauthenticated HTTP API on All Interfaces (CWE-306, High): The Express server listens on 0.0.0.0 with no authentication. All 15 endpoints are accessible to any local process or network neighbor. Any website opened in a regular browser can send fetch('http://localhost:3033/eval', {method:'POST', body:...}) to execute arbitrary JavaScript in the Puppeteer session.
These three findings chain together into a full attack: any website you visit in your normal browser can silently call the unauthenticated local API, navigate the Puppeteer session to a site where you're logged in, and extract your credentials. No user interaction required beyond having the MCP server running.
The full advisories are published on CraftedTrust Touchstone.
2. Supply chain trust is nearly nonexistent
MCP servers are typically installed via npx from npm or cloned from GitHub. The installation process is: a user copies a JSON config snippet from a README, pastes it into their MCP client config, and the next time their AI tool starts up, it runs npx some-package as a subprocess with whatever permissions the user has.
There is no code signing. There is no permission manifest. There is no sandbox by default. If the package author pushes a malicious update, it executes automatically the next time the user's AI tool starts.
We published two supply chain advisories this week. One for a third-party republication of the official Notion MCP server (@osematouati/notion-mcp-server) that claims to be "Official" and points its repository field to Notion's GitHub org but has no npm provenance attestation and a single maintainer. Another for a Gmail MCP server (@gongrzhe/server-gmail-autoauth-mcp) requesting gmail.modify and gmail.settings.basic scopes with zero provenance verification across all 7 published versions.
Research from other teams corroborates the scale: Astrix Security found that 53% of MCP servers use static secrets (API keys embedded in configuration), BlueRock Security found 36.7% of 7,000+ servers potentially vulnerable to SSRF, and the OpenClaw ecosystem saw over 800 malicious skills published across 12 attacker accounts, roughly 20% of the ClawHub registry.
3. The attack surface extends beyond tool descriptions
CyberArk's research demonstrated that tool poisoning doesn't just hide in the description field. Every schema field is a potential injection vector: parameter names, types, anyOf/oneOf constructs, enum values, and even tool output. Their testing showed an 84.2% success rate for tool poisoning attacks with auto-approval enabled. Invariant Labs found that even the best-performing model (Claude 3.7 Sonnet) had less than a 3% refusal rate against tool poisoning, and more capable models are actually more susceptible.
This means traditional security scanning that only checks for known malicious patterns in tool descriptions is catching a fraction of the real attack surface.
What we're doing about it
CraftedTrust operates as an independent trust verification layer for the MCP ecosystem. Every server in our registry is scored across 12 security categories: identity and authentication, permission scope, transport security, declaration accuracy, tool integrity, supply chain, input validation, data protection, network behavior, code transparency, publisher trust, and protocol compliance. Scores map to five compliance frameworks (CoSAI, OWASP Top 10 for Agentic Apps, EU AI Act, NIST AI RMF, and AIUC-1).
Our security research arm, CraftedTrust Touchstone, runs automated deep scans across 60 security checks in 8 domains, auto-triages findings, and manages a 90-day coordinated disclosure pipeline. When we find something, we notify the maintainer, give them 90 days to fix it, and publish the advisory with full technical details.
We also built an MCP server interface so AI agents can check trust scores programmatically before connecting to any server. Add CraftedTrust to your agent's MCP config and it can call check_trust on any server URL before deciding whether to connect:
{
"mcpServers": {
"craftedtrust": {
"url": "https://mcp.craftedtrust.com/api/v1/mcp"
}
}
}
Six tools are available: check_trust, scan_server, search_registry, get_stats, pay_for_certification, and verify_payment. The search and stats tools are free. Premium endpoints accept x402 micropayments (USDC on Base) so agents can pay per-request without API keys or subscriptions.
What you should do right now
If you're using MCP servers with your AI tools:
Audit what's installed. Check your Claude Desktop, Cursor, or VS Code MCP config files. Every server listed there runs with your user permissions. If you don't recognize it or don't actively use it, remove it.
Check trust scores. Search for your installed servers at mcp.craftedtrust.com. If a server scores below 40 (grade D or F), investigate before continuing to use it.
Prefer servers from verified publishers. Look for servers published by the organization they claim to represent (e.g., @notionhq/notion-mcp-server over third-party republications), with multiple maintainers, npm provenance attestation, and active GitHub repositories.
Don't auto-approve tool calls. Most MCP clients support an approval flow for tool calls. Use it, at least for servers that have filesystem, network, or code execution capabilities.
If you're building MCP servers:
Get scanned. Submit your server URL at mcp.craftedtrust.com for a free 12-category trust assessment. If you want a deeper review, our certification tiers ($29/$79/$499) include enhanced scanning, compliance framework mappings, and a verified trust badge.
Read the OWASP MCP Top 10. It covers the attack patterns we see most frequently: tool poisoning, excessive permissions, SSRF, credential exposure, and supply chain compromise.
Add authentication. If your server exposes any capability beyond read-only public data, it should require authentication. OAuth 2.1 with PKCE is the standard. At minimum, don't bind to 0.0.0.0 without auth.
The MCP ecosystem is growing fast and building incredible capabilities. But the security posture of most servers assumes a world where every AI model always does exactly what the developer intended. That world doesn't exist. The sooner we build trust verification into the agent connection flow, the safer this ecosystem becomes for everyone.
Jeremy Kenitz is the founder of Cyber Craft Solutions LLC and the creator of the CraftedTrust Agent Trust Stack. CraftedTrust Touchstone advisories are published at touchstone.craftedtrust.com.
Top comments (0)