DEV Community

Michael Kayode Onyekwere
Michael Kayode Onyekwere

Posted on

We scanned 195 MCP packages for security issues. Here's what we found.

#mcp #security #ai #opensource

MCP (Model Context Protocol) has 97 million monthly SDK downloads. There are thousands of MCP server packages on npm. We scanned 195 of them for security issues.

The Results

  • 195 packages scanned
  • 64% clean (zero findings)
  • 36% had issues (mostly minor)
  • 1 package flagged HIGH — suspicious install script and localhost URL
  • 8 packages (4%) have install scripts — a known supply chain attack vector
  • 24 packages (12%) have no licence
  • Average security score: 96/100

The MCP ecosystem is generally clean. The official @modelcontextprotocol/* packages from Anthropic scored 100/100 across the board. But community packages vary.

The Flagged Package

@azure-devops/mcp scored 60/100 (ELEVATED risk):

  • HIGH: preinstall script that modifies npm registry configuration (npm config set registry). A preinstall script that changes your npm config could redirect future package installs to a malicious registry.

  • HIGH: localhost URL reference (127.0.0.1). Not necessarily malicious, but combined with the registry modification, warrants review.

What We Checked

Our scanner analyses npm package metadata for five categories of issues:

Install scripts — postinstall/preinstall hooks that run arbitrary code. 4% of MCP packages have them.

Prompt injection patterns — tool descriptions containing "ignore previous instructions", system prompt overrides, jailbreak attempts. Found in 0% of this sample.

Suspicious URLs — raw IP addresses, sketchy TLDs, known exfiltration endpoints. Found in 1 package.

Dependency analysis — packages with 20+ runtime dependencies have a larger attack surface. Average was 6 dependencies.

Missing metadata — no repository link (source can't be verified) or no licence. 12% had no licence.

Score Distribution 

90-100: 176 packages (90%) ████████████████████████████████████
70-89:   18 packages  (9%) ████
50-69:    1 package   (1%) █
30-49:    0 packages
 0-29:    0 packages
Enter fullscreen mode Exit fullscreen mode

Why This Matters

The MCP ecosystem is early. Right now, most packages are from trusted developers building legitimate tools. But the protocol is growing fast — 97M monthly SDK downloads. As adoption increases, so will the attack surface.

The patterns we're scanning for — install script manipulation, prompt injection in tool descriptions, data exfiltration URLs — are the same patterns that have plagued the npm ecosystem for years. Supply chain attacks on npm packages cost organisations billions annually. MCP servers are the next target because they give attackers direct access to AI agent tool calls.

Scan Your Own Packages

The scanner is free and public:

curl https://agentscores.xyz/api/scan?npm=your-package-name
Enter fullscreen mode Exit fullscreen mode

Returns a security score (0-100), risk level, and detailed findings. Critical and high findings are automatically added to the KYA abuse database so other developers can check before installing.

Part of KYA (Know Your Agent)

This scanner is one component of KYA — a six-check verification system for AI agents. The other checks cover deployer identity, model identification, code auditability, abuse history, and deployment context.

All six checks: POST https://agentscores.xyz/api/verify
Docs: https://agentscores.xyz/docs

npm: mcp-trust-guard | kya-abuse-check
GitHub: Thezenmonster/mcp-guard

Top comments (0)