We continuously monitor MCP server packages on npm. Last month we published the first ecosystem snapshot. This is the update, with new data, new incidents, and a new capability we have not seen anyone else ship yet.
The numbers
351 packages monitored, up from 316 last month. 6,400+ scans completed. Every package is rescanned on a rolling basis, with real-time detection of new npm publishes via the registry changes feed.
| Risk Level | Packages | Share |
|---|---|---|
| LOW | 273 | 78% |
| MODERATE | 61 | 17% |
| ELEVATED | 15 | 4% |
| HIGH | 2 | 1% |
| CRITICAL | 0 | 0% |
Mean score: 89/100. Median: 95/100. 59 packages score a perfect 100. The ecosystem is getting marginally cleaner as more maintainers adopt provenance attestations.
What changed since last month
The biggest shift is not in the scan data. It is in what we can now tell you about each package.
We built a capability taxonomy that classifies every MCP tool into 15 categories: file system read, file system write, repository read, repository write, shell execution, browser automation, network egress, database access, secrets access, email/messaging, cloud infrastructure, persistent memory, search/retrieval, code analysis, and unknown.
When you scan a package now, you don't just get a score. You get a breakdown of what powers that package gives to your AI.
Example: @modelcontextprotocol/server-github has 26 tools. Capability surface:
- CRITICAL: Repository write (create issues, PRs, branches, merge PRs)
- HIGH: File system write, outbound network
- MEDIUM: File system read, search
- LOW: Repository read
That is different from "score 85/100." It tells you what you are actually granting.
Incidents detected
Four advisories published since monitoring began:
AGENTSCORE-2026-0004: @opentabs-dev/mcp-server (April 13)
Score dropped 85 to 65. New command injection pattern in v0.0.95 (shell execution with template literal input). Package has 50 MCP tools including secrets access and cloud infrastructure capabilities. No repository link, no provenance. Published by individual account.
AGENTSCORE-2026-0003: local-mcp (April 11)
Score dropped 90 to 70. Command injection pattern appeared in v3.0.50. On investigation, the pattern was in a setup utility (execSync with template literal), not in the MCP runtime. Inputs were hardcoded strings from a static array. We classified this as a code smell, not an exploitable vulnerability.
AGENTSCORE-2026-0002: agent-recall-mcp (April 10)
Score dropped 95 to 85. Lost repository link and provenance in new version.
AGENTSCORE-2026-0001: @agenttrust/mcp-server (April 9)
Score dropped 95 to 85. Same pattern as agent-recall-mcp: lost repository link and provenance.
The pattern worth watching
The opentabs-dev incident is the most interesting. Here is a package with 50 tools, including capabilities classified as secrets access and cloud infrastructure management. It introduced a command injection pattern in a version bump. It has no repository link, so the source is not publicly auditable. It has no provenance, so there is no verifiable build chain.
That combination, broad capability surface plus low publisher posture plus code-level findings, is the risk profile that deserves attention in the MCP ecosystem. Most packages do not have this combination. But the ones that do are the ones where a compromise would have the widest impact.
What we are building
Beyond the scanner and advisory feed, we shipped three things this month:
Capability diffs in CI. If you run the AgentScore Policy Gate in GitHub Actions, every PR now shows what AI capabilities each MCP package grants and what changed since the last run. "New AI capabilities introduced: browser automation via @playwright/mcp." That makes capability changes visible in code review instead of invisible at install time.
Package watch alerts. On any package report page, you can enter your email and get notified when that package changes score, risk, or capability surface. No account needed. One field.
Repo preview. Paste any GitHub repo URL on our policy gate page and see what MCP packages it uses, what capabilities they expose, and what the gate would do. No install, no API key, no YAML. Just a preview of what your AI has access to.
The broader context
The MCP ecosystem is growing fast. 97 million monthly SDK downloads. 10,000+ public servers. Anthropic donated MCP to the Linux Foundation's Agentic AI Foundation, co-founded with Block and OpenAI. GitHub now supports MCP registry URLs for Copilot with admin-level access controls.
The security surface is growing with it. 30 CVEs were filed against MCP servers and clients in January and February alone. The OWASP MCP Top 10 project is in beta, with supply chain attacks (MCP04) as a top risk category. Our scan data has been incorporated into the OWASP project.
Funded players are entering the space. Runlayer raised $11M for a runtime MCP gateway. Backslash raised $19M for enterprise AI security including MCP coverage. Snyk launched Agent Scan for local MCP config scanning.
What nobody else is doing yet, as far as we can tell, is merge-path capability gating: showing what powers each MCP package grants, tracking capability changes between CI runs, and enforcing approval policies at the capability level. That is what we built.
Follow this
Advisories: https://agentscores.xyz/security/advisories
RSS: https://agentscores.xyz/security/advisories/rss.xml
Scan any package: https://agentscores.xyz
Watch a package: sign up on any report page (e.g. https://agentscores.xyz/report/mcp-trust-guard)
Preview your repo: https://agentscores.xyz/policy-gate
Published by AgentScore. We monitor the MCP ecosystem so you don't have to.
Top comments (0)