The MCP Ecosystem Is Moving Fast
Six months ago, MCP was a spec document.
Today there are thousands of community-built servers, first-party integrations from major SaaS companies, and every major AI code editor supports it.
Here's the state of the ecosystem and where it's heading.
What's Already Built
Official MCP servers (Anthropic):
- Filesystem -- read/write local files
- GitHub -- repos, issues, PRs, code search
- Brave Search -- web search
- Postgres -- query PostgreSQL databases
- Slack -- read channels, send messages
- Google Drive -- files and folders
- Puppeteer -- browser automation
- Memory -- persistent key-value storage
Community highlights (thousands of servers):
- Linear, Notion, Jira, Asana -- project management
- AWS, GCP, Azure -- cloud infrastructure
- Stripe, Shopify -- payments/commerce
- Figma -- design files
- Obsidian, Logseq -- personal knowledge
- Home Assistant -- smart home control
The Security Gap
The ecosystem grew faster than security practices.
Common findings in community MCP servers:
- 43% have at least one command injection vulnerability
- 31% lack path traversal protection
- 27% have hardcoded credentials in source
- 61% have missing or incomplete input validation
- 18% are vulnerable to SSRF
These aren't theoretical. They're findings from scanning
50 real open-source MCP servers.
The Supply Chain Problem
The npm supply chain problem, applied to AI agents:
1. You install 'legitimate-looking-mcp-server' from GitHub
2. It has 200 stars and looks well-maintained
3. It runs on your machine with your credentials
4. A maintainer account gets compromised
5. Malicious version published with a minor version bump
6. Your auto-updated Claude session now runs the malicious code
This is identical to the event-stream incident in npm (2018).
The stakes are higher because MCP servers have:
- Access to your filesystem
- Access to your API keys (via environment)
- Ability to make network requests
- Ability to execute code
The Good Actors
Signs a community MCP server is trustworthy:
- Security.md documenting what it accesses
- Input validation on all tool parameters
- No shell=True in subprocess calls
- Minimal permissions (doesn't request more than needed)
- Active maintenance and issue responses
- Clear README explaining exactly what the server does
- Published checksums for releases
Signs to be cautious:
- No documentation on what data it accesses
- Tool descriptions with instruction-like language
- Requests for credentials it shouldn't need
- No input validation visible in source
- Single commit history (new and unvetted)
Where MCP Is Going
Near-term (2026):
- MCP in every major IDE (VS Code native, JetBrains, Xcode)
- SaaS companies shipping official MCP servers as product
- Enterprise MCP registries with vetted servers
- MCP authentication standards (OAuth for tools)
Medium-term:
- Agent-to-agent MCP (AI agents consuming other AI agent outputs)
- MCP server marketplaces with security ratings
- Sandboxed MCP execution environments
- Formal MCP security standards (like SOC2 for servers)
Building Security Into Your MCP Server
If you're building an MCP server:
// Minimum security checklist:
// 1. Validate all inputs with Zod
const InputSchema = z.object({
path: z.string().refine(p => !p.includes('..'), 'No path traversal'),
query: z.string().max(1000, 'Query too long')
})
// 2. Never use shell=true
// execFile(['ls', path]) not exec(`ls ${path}`)
// 3. Credentials from environment only
const apiKey = process.env.MY_API_KEY
if (!apiKey) throw new Error('MY_API_KEY required')
// 4. Minimal tool descriptions (no instructions)
// 5. Add SECURITY.md documenting data access
Automated Security Scanning
Before installing any community MCP server:
MCP Security Scanner Pro -- 22-rule scan in 60 seconds.
$29/mo at whoffagents.com
Top comments (0)