The MCP ecosystem grew faster than anyone could audit it. Now there's a tool trying to catch up — and what it's finding isn't reassuring.
The Problem It's Solving
When Model Context Protocol became the de facto standard for connecting AI agents to external tools and data, adoption moved at a pace the security industry wasn't ready for. Every major agent platform built in MCP support. Registries filled up. Enterprises started wiring agents to internal systems through servers they'd never vetted.
The supply chain problem with traditional software took years to become obvious. With MCP, the same pattern is playing out in months. And the threat model is nastier than a bad npm package.
A compromised MCP server doesn't just exfiltrate data. It can control an agent's reasoning, redirect its execution, and manipulate its decisions at the tool-call layer — before the output ever reaches a human. That's a different category of exposure than a vulnerable dependency. You're not patching a library. You're potentially handing an attacker the steering wheel of an autonomous system.
How Manifest's Scoring Actually Works
Manifold Security has expanded its Manifest supply chain intelligence platform to cover MCP servers, adding scored entries for over 7,700 servers pulled from the official MCP Registry. The platform now indexes more than 206,000 total assets across skills, plugins, browser extensions, and server infrastructure.
Each MCP server gets a composite Manifest Score built from two signal families.
The Lineage Score evaluates publisher provenance: authorship history, community presence, repository activity, and verification signals. This is the "who made this and do they have a track record" question. For most MCP servers, the answer is murky. Unlike agent skills that often link to public repositories with commit history and maintainer context, many MCP servers expose only an HTTP endpoint. There's no source to inspect, no maintainer to look up. Lineage Score is trying to assign a confidence level to something that was never designed to be audited.
The Safety Score does behavioral analysis on the server's declared interface — scanning for contradictions, manipulative instructions, and prompt injection patterns embedded in tool descriptions. This matters because prompt injection through MCP tool definitions is already a documented attack vector. A malicious server can instruct an agent to exfiltrate data or ignore safety constraints through nothing more than a carefully worded tool description.
The combined Manifest Score gives security teams a ranked signal, not a binary pass/fail. That's the right framing — in an ecosystem this young, a clean score is a confidence indicator, not a guarantee.
What Security Teams Are Actually Using It For
The use case is straightforward: before an enterprise allows employees to connect an agent to an MCP server, someone needs to have looked at it. Right now, almost nobody has a formal process for that. Manifest is trying to be the equivalent of a CVE database for this layer of the stack.
The backstory on why this is urgent comes from Manifold's own threat research. An empirical study analyzed nearly 100,000 agent skills across two major registries and found 157 behaviorally confirmed as malicious. Those weren't fringe edge cases — each malicious skill averaged over four distinct vulnerabilities across multiple kill chain phases. The attack archetypes the researchers identified broke into two categories: Data Thieves that exfiltrate credentials through supply chain techniques, and Agent Hijackers that subvert agent decision-making through instruction manipulation.
On ClawHub, the OpenClaw marketplace, Antiy CERT confirmed over 1,100 malicious skills — roughly one in twelve packages. In March 2026, researchers demonstrated a ranking-manipulation attack that pushed a malicious skill to the top of its category by exploiting an unprotected API endpoint; it executed across more than 50 cities in six days, quietly exfiltrating identity data from installations inside several public companies.
MCP servers face the same threat surface, with less visibility.
Why This Is a Bigger Deal Than It Looks
The signal-to-noise problem in AI agent security is already bad. Skill scanners proliferated after the first wave of malicious packages — LLM-based classifiers, static analyzers, behavioral sandboxes — and they routinely disagree with each other. Manifold's bet is that the right approach is composite scoring across provenance and behavioral signals together, rather than analyzing components in isolation.
That bet is defensible. Provenance alone misses injected behavior. Behavioral analysis alone misses trust chain problems where a legitimate-seeming server was silently modified or taken over. The combination — Lineage plus Safety — is closer to how you'd actually want to evaluate a third-party component before wiring an autonomous agent to it.
The harder structural problem is that the MCP ecosystem wasn't designed with auditability in mind. HTTP endpoints with no associated repository are normal. Publishers with no community footprint are common. Manifold is trying to build a trust signal layer on top of infrastructure that never anticipated needing one. That's not a criticism of the tool — it's the accurate description of the problem the tool exists to solve.
Manifold Security CEO and co-founder Neal Swaelens put it directly: "Every developer today has coding agents on their laptop with access to source code, production systems, and CI/CD pipelines connected to an expanding ecosystem of MCP servers, skills, and third-party tools that no one is inspecting."
Availability and Access
Manifest is available now as a free, open-access platform. The MCP server index — 7,700 scored entries and growing — is searchable alongside the existing database of skills and plugins. Enterprise tiers extend coverage into Manifold's broader AIDR platform, which provides runtime visibility into agent behavior, live MCP server connections, privilege paths, and anomaly detection. Manifold raised an $8 million seed round in March 2026 led by Costanoa Ventures.
The MCP supply chain is the new npm — except agents don't just run code, they make decisions. Scoring 7,700 servers is a start. The question is whether enterprises adopt a review process before the next ranking-manipulation attack makes the choice for them.
Follow for more coverage on MCP, agentic AI, and AI infrastructure.
Top comments (0)