<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: AD</title>
    <description>The latest articles on DEV Community by AD (@ad_0846).</description>
    <link>https://dev.to/ad_0846</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3960763%2F971cb1ea-91eb-474a-ac5d-307fb7922da3.png</url>
      <title>DEV Community: AD</title>
      <link>https://dev.to/ad_0846</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/ad_0846"/>
    <language>en</language>
    <item>
      <title>I Scanned 1,200 MCP Configs From GitHub. Here's What I Found.</title>
      <dc:creator>AD</dc:creator>
      <pubDate>Thu, 25 Jun 2026 22:25:41 +0000</pubDate>
      <link>https://dev.to/ad_0846/i-scanned-1200-mcp-configs-from-github-heres-what-i-found-45b3</link>
      <guid>https://dev.to/ad_0846/i-scanned-1200-mcp-configs-from-github-heres-what-i-found-45b3</guid>
      <description>&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;I built &lt;a href="https://github.com/arpitha-dhanapathi/pluto-aguard" rel="noopener noreferrer"&gt;Pluto AgentGuard&lt;/a&gt;, an open-source MCP security scanner, and ran it against 1,200 real MCP server configurations from public GitHub repos.&lt;/p&gt;

&lt;p&gt;The key finding: &lt;strong&gt;13% expose remote endpoints with zero authentication.&lt;/strong&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  Why This Matters
&lt;/h2&gt;

&lt;p&gt;MCP (Model Context Protocol) is how AI agents connect to tools — databases, file systems, APIs, browsers. A misconfigured MCP server is an unauthenticated backdoor into your infrastructure.&lt;/p&gt;

&lt;p&gt;But not all misconfigurations are equal. I built a scanner to separate real risks from noise.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Results
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Severity&lt;/th&gt;
&lt;th&gt;Count&lt;/th&gt;
&lt;th&gt;What it means&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;HIGH&lt;/td&gt;
&lt;td&gt;189&lt;/td&gt;
&lt;td&gt;Remote endpoints with no authentication&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MEDIUM&lt;/td&gt;
&lt;td&gt;169&lt;/td&gt;
&lt;td&gt;Unencrypted HTTP on non-localhost transport&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;INFO&lt;/td&gt;
&lt;td&gt;2,533&lt;/td&gt;
&lt;td&gt;Capability inventory (shell access, network fetch, etc.)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;156 repos (13%) had at least one HIGH-severity finding&lt;/strong&gt; — 189 unauthenticated remote endpoints across those repos.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Three Things That Actually Matter
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1. Remote endpoints without authentication (13%)
&lt;/h3&gt;

&lt;p&gt;If your MCP server listens on a network address with no auth, anyone on that network can invoke your tools. No exploit needed — just a well-formed JSON-RPC request.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"mcpServers"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"my-server"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"url"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"https://api.example.com/mcp"&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;No &lt;code&gt;Authorization&lt;/code&gt; header. No API key. Wide open.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. Hardcoded secrets in configs
&lt;/h3&gt;

&lt;p&gt;API keys, tokens, and database passwords committed directly in JSON. Environment variable references (&lt;code&gt;${API_KEY}&lt;/code&gt;) exist for a reason.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. eval() on LLM output
&lt;/h3&gt;

&lt;p&gt;Rare, but when present — catastrophic. Server implementations that pass model-generated strings directly to &lt;code&gt;eval()&lt;/code&gt;. Textbook remote code execution.&lt;/p&gt;




&lt;h2&gt;
  
  
  What's NOT a Vulnerability
&lt;/h2&gt;

&lt;p&gt;One thing I learned building this scanner: &lt;strong&gt;not everything that looks scary is actually a security issue.&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;"Server has shell-execution tools"&lt;/strong&gt; — That's a feature. The &lt;a href="https://modelcontextprotocol.io/specification/2025-03-26/architecture" rel="noopener noreferrer"&gt;MCP spec&lt;/a&gt; puts enforcement responsibility on the client/host: &lt;em&gt;"The host process enforces security policies and consent requirements."&lt;/em&gt; Claude Desktop, Cursor, and other mainstream clients prompt before executing.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;"No response size limits"&lt;/strong&gt; — The MCP spec has no standard field for this. Flagging its absence is a tautology.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;"Dangerous package detected"&lt;/strong&gt; — Filesystem access, browser automation, shell execution — these are the &lt;em&gt;reason&lt;/em&gt; MCP servers exist. The scanner reports them for awareness, not as vulnerabilities.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  How the Scanner Works
&lt;/h2&gt;

&lt;p&gt;Pluto AgentGuard performs static analysis on MCP configuration files (JSON/YAML):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Auth detection&lt;/strong&gt; — checks for &lt;code&gt;headers&lt;/code&gt;, API keys, token references&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Transport analysis&lt;/strong&gt; — flags remote HTTP without TLS&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Secret scanning&lt;/strong&gt; — regex patterns for hardcoded credentials&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Capability inventory&lt;/strong&gt; — catalogs what tools are exposed (informational)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;No runtime required. No server access needed. Just point it at your config directory.&lt;/p&gt;




&lt;h2&gt;
  
  
  Grounded in Standards
&lt;/h2&gt;

&lt;p&gt;Findings are mapped to established security frameworks:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Finding&lt;/th&gt;
&lt;th&gt;OWASP Agentic AI Threat&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;AUTH-MISSING&lt;/td&gt;
&lt;td&gt;
&lt;strong&gt;Tool Misuse&lt;/strong&gt; — unauthenticated endpoints allow unauthorized tool invocation&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;TRANSPORT-HTTP&lt;/td&gt;
&lt;td&gt;
&lt;strong&gt;Insecure Communication&lt;/strong&gt; — unencrypted channels expose data in transit&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SECRET-HARDCODED&lt;/td&gt;
&lt;td&gt;
&lt;strong&gt;Credential Leakage&lt;/strong&gt; — secrets in config files end up in version control&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;EVAL-INJECTION&lt;/td&gt;
&lt;td&gt;
&lt;strong&gt;Prompt Injection → Code Execution&lt;/strong&gt; — LLM output passed to eval()&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The scanner also references the &lt;a href="https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4235509/" rel="noopener noreferrer"&gt;NSA Cybersecurity Information Sheet on AI systems&lt;/a&gt; (May 2025) and the &lt;a href="https://modelcontextprotocol.io/specification/2025-03-26/architecture" rel="noopener noreferrer"&gt;MCP Architecture Specification&lt;/a&gt; for trust boundary guidance.&lt;/p&gt;




&lt;h2&gt;
  
  
  Try It
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install &lt;/span&gt;pluto-aguard
pluto-aguard scan ./my-mcp-configs/ &lt;span class="nt"&gt;--format&lt;/span&gt; table
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Or scan a single config:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pluto-aguard scan ~/.cursor/mcp.json
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://github.com/arpitha-dhanapathi/pluto-aguard" rel="noopener noreferrer"&gt;GitHub → pluto-aguard&lt;/a&gt; | Open source, MIT licensed.&lt;/p&gt;




&lt;h2&gt;
  
  
  Key Takeaways
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Add authentication to remote MCP endpoints.&lt;/strong&gt; Even a bearer token header blocks drive-by invocations.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Never commit secrets in MCP configs.&lt;/strong&gt; Use &lt;code&gt;${ENV_VAR}&lt;/code&gt; references.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Understand the trust boundary.&lt;/strong&gt; MCP servers provide capabilities; clients enforce approval. A server with shell access isn't a vulnerability if your client prompts before executing.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Scan your configs.&lt;/strong&gt; 13% of public repos got this wrong. You might be one of them.&lt;/li&gt;
&lt;/ol&gt;

</description>
      <category>security</category>
      <category>ai</category>
      <category>opensource</category>
      <category>python</category>
    </item>
  </channel>
</rss>
