Originally published with live data at https://wmcp.sh/reports/state-of-mcp-security-2026
The Model Context Protocol exploded this year. Claude, Cursor, Codex, and a wave of agents now discover and auto-connect to MCP servers. Which raises a question nobody's answering: who's checking those servers are safe, reachable, and well-behaved before an agent hands them tool-call access?
The official MCP registry deliberately doesn't. It authenticates namespaces and stores metadata, then explicitly delegates security and curation to "downstream aggregators." So trust in MCP is structurally unowned.
I built an independent grader and ran it across 6,762 servers which is the largest audit of the ecosystem that I'm aware of. Here's what's there.
The method
An open, OWASP-MCP-aligned A–F rubric across five dimensions: spec conformance, security, reliability, tool hygiene, and transparency. It covers remote servers (by connecting and inspecting their real MCP surface) and stdio servers distributed as npm/pypi packages (by statically analyzing their published source). Grades are free and identical whether or not the operator pays — that independence is the whole point.
What's actually out there
MCP is overwhelmingly developer infrastructure. Developer Tools is the largest category by 2x (1,020 servers), followed by Finance & Crypto (581), AI & ML (408), Databases (396), and Cloud & DevOps (372). Consumer-facing categories are thin. If you're building for agents, you're mostly building for developers right now.
42% earn an A or B; 38% land at D or F. The security news is better than the headlines suggest — only ~1% of servers exposed a confirmed problem (prompt-injection / hidden-instruction markup or secret-exfiltration file paths embedded in tool descriptions — text an agent reads and may act on).
The real gap is vettability and rot. 13% of registry-listed servers are simply unreachable — dead or unmaintained. And of the live ones, many can't be vetted from the outside at all: no OAuth resource metadata (RFC 9728), untyped tool schemas. An agent has no safe way to know what a server will do before connecting.
And tools mutate silently after launch — the CVE-2025-54136 "rug-pull" class. A server you vetted last week can ship a renamed or malicious tool today. Static scans miss this entirely; it needs continuous re-verification. (We hash each server's tool set and re-check on a schedule.)
Why this matters
As agents move from "suggest" to "act," "trust before connect" stops being optional. The ecosystem needs an independent, continuous, cross-client trust layer — the FICO/SSL-Labs of MCP — not a one-time scan and not a registry that punts.
That's what I'm building at wmcp.sh: a free A–F trust grade for every MCP server, continuously watched for drift, plus the same idea extended to two more connection types — WebMCP (in-browser agents) and captured REST (turn any site's undocumented internal API into agent tools).
If you run an MCP server: grade it free at https://wmcp.sh/mcp/grade, make sure it's reachable and transparent, and embed the badge so users know you're audited. The full report (live data): https://wmcp.sh/reports/state-of-mcp-security-2026
Top comments (0)