I audited 6,762 MCP servers. Here's the state of the ecosystem and the trust gap nobody's filling.

ares — Wed, 03 Jun 2026 23:06:09 +0000

Originally published with live data at https://wmcp.sh/reports/state-of-mcp-security-2026

The Model Context Protocol exploded this year. Claude, Cursor, Codex, and a wave of agents now discover and auto-connect to MCP servers. Which raises a question nobody's answering: who's checking those servers are safe, reachable, and well-behaved before an agent hands them tool-call access?

The official MCP registry deliberately doesn't. It authenticates namespaces and stores metadata, then explicitly delegates security and curation to "downstream aggregators." So trust in MCP is structurally unowned.

I built an independent grader and ran it across 6,762 servers which is the largest audit of the ecosystem that I'm aware of. Here's what's there.

The method
An open, OWASP-MCP-aligned A–F rubric across five dimensions: spec conformance, security, reliability, tool hygiene, and transparency. It covers remote servers (by connecting and inspecting their real MCP surface) and stdio servers distributed as npm/pypi packages (by statically analyzing their published source). Grades are free and identical whether or not the operator pays — that independence is the whole point.

What's actually out there
MCP is overwhelmingly developer infrastructure. Developer Tools is the largest category by 2x (1,020 servers), followed by Finance & Crypto (581), AI & ML (408), Databases (396), and Cloud & DevOps (372). Consumer-facing categories are thin. If you're building for agents, you're mostly building for developers right now.

42% earn an A or B; 38% land at D or F. The security news is better than the headlines suggest — only ~1% of servers exposed a confirmed problem (prompt-injection / hidden-instruction markup or secret-exfiltration file paths embedded in tool descriptions — text an agent reads and may act on).

The real gap is vettability and rot. 13% of registry-listed servers are simply unreachable — dead or unmaintained. And of the live ones, many can't be vetted from the outside at all: no OAuth resource metadata (RFC 9728), untyped tool schemas. An agent has no safe way to know what a server will do before connecting.

And tools mutate silently after launch — the CVE-2025-54136 "rug-pull" class. A server you vetted last week can ship a renamed or malicious tool today. Static scans miss this entirely; it needs continuous re-verification. (We hash each server's tool set and re-check on a schedule.)

Why this matters
As agents move from "suggest" to "act," "trust before connect" stops being optional. The ecosystem needs an independent, continuous, cross-client trust layer — the FICO/SSL-Labs of MCP — not a one-time scan and not a registry that punts.

That's what I'm building at wmcp.sh: a free A–F trust grade for every MCP server, continuously watched for drift, plus the same idea extended to two more connection types — WebMCP (in-browser agents) and captured REST (turn any site's undocumented internal API into agent tools).

If you run an MCP server: grade it free at https://wmcp.sh/mcp/grade, make sure it's reachable and transparent, and embed the badge so users know you're audited. The full report (live data): https://wmcp.sh/reports/state-of-mcp-security-2026

DEV Community: ares

I audited 6,762 MCP servers. Here's the state of the ecosystem and the trust gap nobody's filling.