We Scanned 20 Top MCP Servers for Vulnerabilities — The Results Will Shock You
TL;DR: 3 popular MCP servers have critical security issues. 4 are completely safe. And GPT-4o is useless for security scanning.
We ran 62 automated security audits on the most popular MCP servers. What we found will change how you choose AI agent packages.
👉 Scan your package now: agentaudit.dev
The Problem Nobody Talks About
MCP (Model Context Protocol) servers are exploding in popularity. Thousands of developers are installing them daily to connect AI agents to tools, databases, and APIs.
But here's the scary part: Most MCP servers have never been security audited.
These servers often have access to:
- 🔐 Your source code repositories
- 🗄️ Your databases
- 📧 Your email and communication tools
- ☁️ Your cloud infrastructure
One vulnerable MCP server = Game over for your entire AI agent security.
So we decided to scan the top 20 MCP servers ourselves. The results? Some will shock you.
🚨 High-Risk Packages (Consensus Across Models)
#1: mcp-server-kubernetes — Risk Score: 80/100 🔴
Source: modelcontextprotocol/servers
Findings: Command injection, privilege escalation, cluster escape potential
This server lets AI agents manage Kubernetes clusters. But our scan found:
- ❌ Shell injection via
exec()patterns - ❌ Insufficient RBAC validation
- ❌ Potential for cluster-wide compromise
Status: Maintainer notified. Do not use in production until fixed.
#2: notion-mcp-server — Risk Score: 50/100 🔴
Source: makenotion/notion-mcp-server
Findings: Credential handling, API token exposure
This server connects AI agents to Notion workspaces (where your company docs live). Issues found:
- ❌ API tokens stored in plaintext
- ❌ No encryption at rest
- ❌ Potential for data exfiltration
Status: Issues reported. Use with caution.
#3: chrome-devtools-mcp — Risk Score: 45/100 🔴
Source: anthropics/chrome-devtools-mcp
Findings: Browser sandbox escape, code execution
This server gives AI agents control over Chrome DevTools. Findings:
- ❌ Browser sandbox escape vectors
- ❌ Arbitrary code execution via devtools protocol
- ❌ No user consent prompts for sensitive actions
Status: Under review by Anthropic.
✅ Safe Packages (Zero Findings)
These packages passed all security checks across all models:
| Package | Source | Risk Score |
|---|---|---|
| ✅ Playwright MCP | anthropics/playwright-mcp | 0/100 |
| ✅ Supabase MCP | supabase/mcp | 0/100 |
| ✅ Vercel AI SDK | vercel/ai | 0/100 |
| ✅ Slack MCP | modelcontextprotocol/servers | 1/100 |
These are production-ready. Install with confidence.
🤯 The Most Surprising Finding: GPT-4o is Useless for Security
We scanned the same 20 packages with 4 different AI models:
| Model | Findings Found | Avg Risk | Cost/Scan |
|---|---|---|---|
| Gemini 2.5 Flash | 39 findings | 20.4 | ~$0.02 |
| Claude Opus 4 | 24 findings | 7.1 | ~$1.75 |
| GPT-4o | 2 findings | 0.7 | ~$0.10 |
| Claude Haiku 4.5 | 3 findings | 0.9 | ~$0.01 |
GPT-4o found only 2 findings in 15 scans. It missed:
- ❌ Command injection in kubernetes MCP
- ❌ Credential leaks in notion MCP
- ❌ Sandbox escapes in chrome-devtools MCP
Conclusion: Don't use GPT-4o for security scanning. It gives you a false sense of security.
Best value: Gemini 2.5 Flash at $0.02/scan with 20x more findings than GPT-4o.
🏆 Success Stories: Companies Doing Security Right
IBM: Adopted AgentAudit Badge
IBM recently added the AgentAudit security badge to their mcp-context-forge repo (10k+ stars).
What this means: Every user can instantly see the security status before installing.
octocode-mcp: Fixed All 5 Findings in 48 Hours
When we scanned octocode-mcp, we found 5 security issues. The maintainer's response?
Within 48 hours:
- ✅ All 5 findings fixed
- ✅ 64 regression tests added
- ✅ Public verification report posted
This is how you do open source security right. 👏
📊 Complete Results: Top 20 MCP Servers
| # | Package | Risk Score | Status |
|---|---|---|---|
| 1 | mcp-server-kubernetes | 80/100 | 🔴 Critical |
| 2 | notion-mcp-server | 50/100 | 🔴 High |
| 3 | chrome-devtools-mcp | 45/100 | 🔴 High |
| 4 | mcp-server-qdrant | 45/100 | 🟡 Disputed |
| 5 | context7 | 35/100 | 🟡 Disputed |
| 6 | git-mcp | 35/100 | 🟡 Disputed |
| 7 | terraform-mcp-server | 30/100 | 🔴 High |
| 8 | firecrawl-mcp-server | 30/100 | 🟡 Disputed |
| 9 | github-mcp-server | 20/100 | 🟡 Disputed |
| 10 | mcp-grafana | 15/100 | 🟢 Low |
| 11 | figma-context-mcp | 15/100 | 🟢 Low |
| 12 | ghidramcp | 15/100 | 🟡 Disputed |
| 13 | exa-mcp-server | 10/100 | 🟢 Low |
| 14 | mongodb-mcp-server | 6/100 | 🟢 Low |
| 15 | mcp-server-browserbase | 5/100 | 🟢 Low |
| 16 | mcp-server-cloudflare | 5/100 | 🟢 Low |
| 17 | slack-mcp-server | 1/100 | 🟢 Safe |
| 18 | supabase-mcp | 1/100 | 🟢 Safe |
| 19 | playwright-mcp | 0/100 | 🟢 Safe |
| 20 | ai (Vercel AI SDK) | 0/100 | 🟢 Safe |
Full reports: agentaudit.dev/packages
🎯 What Should You Do?
For MCP Server Maintainers
1. Scan your package NOW
- Go to agentaudit.dev
- Enter your GitHub repo URL
- Get instant security feedback
2. Add the AgentAudit Badge
[](https://agentaudit.dev/package/your-repo)
3. Fix findings before release
- High-risk findings = block release
- Medium-risk = document or fix ASAP
- Low-risk = track in backlog
For AI Developers
1. Check before you install
- Look for AgentAudit badges in READMEs
- No badge? Scan it yourself at agentaudit.dev
2. Use safe defaults
- ✅ Playwright MCP, Supabase MCP, Vercel AI SDK
- ❌ Avoid: Kubernetes MCP, Chrome DevTools MCP (until fixed)
3. Demand transparency
- Ask maintainers: "Where's your security audit?"
- No audit? Consider alternatives
For Security Teams
1. Implement automated scanning
- AgentAudit CLI for CI/CD pipelines
- Scan on every PR, block on high-risk findings
2. Use the right model
- Gemini 2.5 Flash for screening (cheap, high recall)
- Claude Opus 4 for verification (precise, low FP)
- Skip GPT-4o (not recommended for security)
3. Track your security posture
- Public reports build trust
- Badges show commitment to security
💰 The Cost Breakdown
Total cost for 62 scans: ~$37
- Gemini 2.5 Flash: ~$0.80 (40 scans)
- Claude Opus 4: ~$35 (20 scans)
- GPT-4o: ~$1.50 (15 scans)
- Claude Haiku 4.5: ~$0.10 (8 scans)
You can scan your package for ~$0.02 with Gemini. That's less than a cup of coffee for peace of mind.
🚀 Join the Movement
We're on a mission to make AI agent security transparent and accessible.
How you can help:
- Scan your packages → agentaudit.dev
- Add the badge → Show users you care about security
- Share this article → Spread awareness
- Report issues → Help improve detection patterns
Together, we can make the MCP ecosystem safer for everyone.
Questions? Drop them in the comments! 👇
Scan your package now: agentaudit.dev
Top comments (0)