The Model Context Protocol is the closest thing the AI agent ecosystem has to a universal standard. Anthropic published it. OpenAI adopted it. Every major agent framework uses it. MCP servers are how AI agents talk to the outside world — databases, APIs, CI/CD pipelines, social media platforms, project management tools.
In February, a security researcher scanned all 518 servers in the official MCP registry. The results: 214 servers — 41% — require no authentication at any layer. Not at the MCP protocol level. Not at the API level. Nothing. Any agent, any script, any POST request can enumerate every available tool with zero credentials.
Those 214 open servers expose 1,462 tools to anyone who asks.
The Servers That Are Wide Open
The audit grouped servers into three tiers. Tier 1 servers authenticate at the MCP protocol layer — about 20% of the registry. Tier 2 servers skip MCP-layer auth but require API keys for the underlying services — roughly 38%. Tier 3 servers have no authentication anywhere. That's the 41%.
The open servers aren't obscure test instances. They include sendit.infiniteappsai.com with 131 social media tools exposed. Teamwork's MCP server with 117 project management tools. Bitrise's CI/CD server with 67 build pipeline tools. Robtex with 50 DNS and IP reconnaissance tools — the kind of thing you'd use to map a network before attacking it.
A DNS reconnaissance server with no authentication, connected to an AI agent ecosystem that's scaling faster than anyone can secure it. That's not a hypothetical risk. That's a deployment.
Growth Is Outrunning Security
The official MCP registry grew from 90 to 518 servers in a single month. At that rate, there will be more than 1,000 by summer. The security infrastructure isn't keeping pace.
This matters because of how MCP agents work in practice. When an agent connects to multiple servers — which is the entire point of a universal protocol — it operates with the union of all server permissions. A compromised or misconfigured server in the chain extends its blast radius across every server the agent touches. One bad server doesn't just expose its own tools. It exposes every conversation, credential, and capability the agent carries.
The MCP specification does include security best practices. It recommends authentication, input validation, and the principle of least privilege. But recommendations aren't enforcement. When 41% of the servers in the official registry ignore the recommendation, it's not a guideline — it's a suggestion that nobody's following.
The Pattern Repeats
This is the same trajectory every protocol follows when adoption outpaces governance. Early internet servers shipped with default passwords. OAuth implementations leaked tokens for years before the spec tightened. Container registries published images without signature verification until supply chain attacks forced the issue.
MCP is following the same curve, except this time the unauthenticated endpoints aren't serving static web pages. They're giving AI agents the ability to execute code, query databases, send messages, and manipulate CI/CD pipelines. The blast radius of a misconfigured MCP server is fundamentally larger than a misconfigured HTTP endpoint because the agent consuming it has autonomy the browser never did.
The registry is growing at 42% per month. The authentication rate isn't keeping pace. Every new server that ships without MCP-layer auth is another node in an attack surface that compounds with every agent that connects to it.
Anthropic wrote the protocol. The industry adopted it. Nobody locked the doors.
If you work with AI agents or prompts, check out my prompt engineering toolkit on Polar — battle-tested prompt packs for developers.
Top comments (0)