i've been auditing MCP servers for a few weeks now. 194 packages scanned, 118 had security findings. that's a 60.8% failure rate. and these are the ones people are plugging into their AI agents right now.
the problem isn't that developers are lazy. it's that there's no visibility. when you npm install @some-mcp/filesystem-server, you have zero signal about whether it sanitizes paths, leaks env vars, or shells out with unsanitized input.
we have Lighthouse for web performance. we have Snyk for dependency vulnerabilities. we have nothing for MCP server security.
the proposal: MCP Security Score
a 0-100 score, computed automatically, covering 5 dimensions:
1. input validation (25 pts) -- does the server validate tool parameters before use? or does directory: "../../etc/passwd" just work?
2. execution safety (25 pts) -- shell injection checks. does it use execFileSync with argument arrays or string-concatenated execSync? does python code use shlex.quote()?
3. environment isolation (20 pts) -- does it leak process.env? does it allowlist which env vars it touches? we found 7 packages that console.log(process.env) during startup.
4. dependency hygiene (15 pts) -- known CVEs in transitive deps, lockfile present, pinned versions.
5. output sanitization (15 pts) -- does it prevent sensitive data from flowing back through tool responses into the LLM context?
why this matters more than web security
when a web app has an XSS vulnerability, one user is affected. when an MCP server has a shell injection vulnerability, the AI agent executing it can compromise the entire host. and the agent doesn't know the difference between a safe command and ; rm -rf /.
we counted 30 CVEs against MCP packages in the last 60 days. 437K downloads of compromised packages before takedowns. the 97M total npm SDK downloads tell us adoption is way ahead of security infrastructure.
what it could look like
@modelcontextprotocol/server-filesystem
MCP Security Score: 72/100
input validation: 18/25
execution safety: 22/25
environment isolation: 14/20
dependency hygiene: 12/15
output sanitization: 6/15
render it in npm readme badges. surface it in MCP client UIs. let agent frameworks refuse to load servers below a threshold.
honest limitations
this won't catch everything. logic bugs, prompt injection through tool responses, and novel attack chains need human review. a score creates false confidence if people treat it as a guarantee. it's a floor, not a ceiling.
but right now the floor is "nothing." any signal is better than zero.
building a prototype. interested in beta testing? comment below.
Top comments (0)