If you use Claude Desktop, Cursor, Cline, or Continue, you've probably installed MCP servers from a "curated list" or directory. Here's the uncomfortable truth: most of those directories don't actually audit the servers they list. They're curated lists, not security audits.
I built an MCP marketplace that actually audits every server. Here's what I learned about MCP security — and how you can protect yourself.
The problem with MCP directories today
Most "awesome-mcp-servers" lists work like this:
- Someone submits a GitHub repo
- The maintainer adds it to the README
- That's it. No audit. No scan. No sandbox.
This means:
- A typo in the repo URL → you install the wrong thing
- A malicious PR merged into a legit repo → you install malware
- A typosquatting repo with a similar name → you install a trojan
This actually happened. Two weeks ago, a typosquatting repo (JuanquiFortuny/prospector-mcp-email-finder) slipped a Windows trojan (Trojan:Win64/Lazy.PGPK!MTB) into a competing MCP directory via a fake "Download Latest Release" badge.
What real MCP security looks like
At MarketNow, every MCP server goes through 8 audit layers before entering the catalog:
Layer 1-2: Static analysis
- 6 metadata checks (auth, injection, CORS, OAuth, rate limiting)
- 18 Semgrep rules + 18 secret patterns + OSV dependency check
Layer 3: Binary & malware detection
Opens the actual package zip (recursively — zips inside zips) and scans for:
- Windows binaries (
.exe,.dll,.scr) - Launcher scripts (
.bat,.cmd,.vbs,.ps1) - Nested archives (red flag)
- Obfuscated Lua bytecode
- External download URLs in READMEs
- PowerShell encoded commands
Layer 4: Malware family signatures
17 YARA-equivalent rules for known malware families: Emotet, Cobalt Strike, Mimikatz, RedLine, Vidar, Raccoon, LummaC2, AsyncRAT, njRAT, Remcos, and more.
Layer 5-8: Runtime defense
- WAF (40 attack signatures)
- Honeypot (50+ fake paths that ban scanners)
- Threat intel feeds (abuse.ch: URLhaus + MalwareBazaar + ThreatFox)
- Auto-quarantine (malicious skills removed + publicly listed)
What this means for you
When you browse marketnow.site, every skill has:
- A Sentinel score (0-10) — how safe is this server?
- A signed certificate — SHA-256 signed, publicly verifiable
- A risk level — low / medium / high / critical
- Source disclosure — which GitHub repo it came from
- L2 sandbox results (for 206 skills) — actual runtime behavior in a gVisor sandbox
How to use it
Option 1: Browse the web UI
Go to marketnow.site, search for what you need, check the Sentinel score, and copy the install command.
Option 2: Use the MCP server
Add MarketNow as an MCP server in your assistant:
{
"mcpServers": {
"marketnow": {
"command": "npx",
"args": ["-y", "marketnow-mcp"]
}
}
}
Now you can ask Claude/Cursor/Cline: "Find me a filesystem MCP server with a high security score" — and it'll search MarketNow, filter by Sentinel score, and return only audited servers.
Option 3: Use the API directly
# Search for skills
curl "https://marketnow.site/api/search?q=filesystem" | jq
# Get a skill's security certificate
curl "https://marketnow.site/api/audit-skill?skillId=mn-mcp-filesystem" | jq
The trust layer: ATC
For agent-to-agent trust, we also built ATC (Agent Trust Card) — SSL certificates for AI agents:
# Verify any agent's trust card
curl "https://marketnow.site/api/atc?action=verify&card_id=ATC-2026-XXXXXXX"
Returns: valid/invalid, Sentinel score, risk level, signature verification, revocation status.
What you can do today
- Stop installing MCP servers from uncurated lists. Check if the directory actually audits the servers.
- Check the GitHub repo before installing. Stars, last commit, open issues, license.
- Use MarketNow (shameless plug, but it's free and actually audits everything).
-
Verify Sentinel certificates at
marketnow.site/verifybefore trusting a skill. - Report suspicious skills — open an issue at github.com/edgarfloresguerra2011-a11y/marketnow.
The bigger picture
MCP is becoming the standard for how AI assistants call external tools. But the trust infrastructure doesn't exist yet. Anyone can publish an MCP server, and most directories don't check anything.
MarketNow is trying to fix this: every server audited, every certificate signed, every incident public. The marketplace is free. The security infrastructure is the product.
Try it: https://marketnow.site
Install: npx -y marketnow-mcp
GitHub: https://github.com/edgarfloresguerra2011-a11y/marketnow
— Edison Flores, AliceLabs LLC
Top comments (0)