MCPSafe.io
RegistryThreatsMethodologyDocsPricingScanSign in
MCPSafe.io

Security checks for MCP servers — public packages and private repos, fast or deep.

Legal

Privacy PolicyCookie PolicyTerms of ServiceSecurity disclosure

Resources

State of MCP SecuritySupportSystem statusMade in Germany 🇩🇪

© 2026 MCPSafe. All rights reserved.

GDPR — Privacy Policy

Public dashboard · Last refresh 44m ago

The State of MCP Security

Live numbers from MCPSafe’s scan cache. Updated every few minutes as new servers are scanned.

Packages scanned

562

Graded A or B

371

66% of catalog

Graded D or F

12

2% of catalog

Total findings

8,474

across latest scans

Grade distribution

562
  • A81(14%)
  • B290(52%)
  • C
179
(32%)
  • D11(2%)
  • F1(0%)

    • Top finding categories

    • server configuration
      5,845
    • readiness
      5,076
    • resource exhaustion
      3,000
    • ansi escape injection
      1,754
    • verbose errors
      1,538
    • vulnerable dependency
      323
    • data exfiltration
      234
    • xxe
      200
    • insecure container image
      197
    • behavioral mismatch
      195

    Top MCP packages

    Most popular

    Ranked by GitHub stars.

    1. 1.Bpunkpeye/awesome-mcp-servers86,775 ★
    2. 2.Bgithub:punkpeye/awesome-mcp-servers@HEAD86,773 ★
    3. 3.Dgithub:modelcontextprotocol/servers@acedea0c24b385,526 ★
    4. 4.Dmodelcontextprotocol/servers84,975 ★
    5. 5.Cupstash/context755,142 ★
    6. 6.Cgithub:upstash/context7@HEAD55,124 ★
    7. 7.CChromeDevTools/chrome-devtools-mcp39,368 ★
    8. 8.Cgithub:ChromeDevTools/chrome-devtools-mcp@HEAD39,359 ★
    9. 9.Cgithub:microsoft/playwright-mcp@ae27b8638aaf32,419 ★
    10. 10.Dgithub/github-mcp-server29,764 ★

    Highest rated

    A-graded packages, ranked by safety score.

    1. 1.Agithub:vercel-labs/mcp-for-next.js@HEADscore 96
    2. 2.Avercel-labs/mcp-for-next.jsscore 96

    By package source

    How the catalog splits across npm, PyPI, GitHub, and Docker Hub — and which source ships the safest MCP servers on average.

    GitHub

    88%

    495

    scanned

    Avg score
    78.2
    Graded A/B
    317 (64%)
    Graded D/F
    5
    Findings
    7,936

    npm

    11%

    62

    scanned

    Avg score
    82.7
    Graded A/B
    52 (84%)
    Graded D/F
    5
    Findings
    416

    PyPI

    1%

    5

    scanned

    Avg score
    70.6
    Graded A/B
    2 (40%)
    Graded D/F
    2
    Findings
    122

    Top publishers

    • squatguard
      5
    • microsoft
      4
    • Bigred97
      4
    • sathergate
      3
    • Clawdio777
      2
    • punkpeye
      2
    • jgravelle
      2
    • clay-good
      2
    • cloudflare
      2
    • gc10-commits
      2

    Notable recent findings

    Packages flagged for high risk on their most recent scan. “Flagged” means our rules found issues worth a human review — not that the package is malicious.

    • xiaoyaosearch

      C

      github · score 38 · 39 findings

      Run a fresh deep scan →

    • mindroom-librechat

      C

      github · score 39 · 24 findings

      Run a fresh deep scan →

    Subscribe

    Get the monthly State of MCP Security in your inbox.

    One email per month. Quotable stats, new threat patterns, and the packages worth watching. Unsubscribe anytime.

    Share:X / TwitterLinkedIn

    How these numbers are built

    • Every counter is derived from the most recent scan of each package in our cache. Older scans do not double-count.
    • Grade distribution uses the same A–F scale shown on the scan report. See /threats for the detection categories behind each finding.
    • Top publishers are inferred from GitHub package URLs (the owner in github.com/owner/repo). Packages from npm, PyPI, and Docker don’t count here today.
    • Browse the full catalog from the registry.

    Frequently asked

    What is an MCP server?+
    Model Context Protocol (MCP) servers expose tools, resources, and prompts to AI agents. They sit between an LLM and an underlying system — your filesystem, a database, an API — and execute privileged actions on the agent's behalf, which makes their security profile materially different from a typical web service.
    Where does this data come from?+
    Every counter is derived from the most recent MCPSafe scan of each public MCP server in our cache. Older scans don't double-count. Findings are produced by the same rule engine that powers individual scan reports — see our methodology page for the rubric.
    How is the safety grade calculated?+
    Each server gets a 0-100 safety score that combines static analysis findings, supply-chain signals (typosquatting, CVEs), permission and network posture, and LLM-judged behavioral risks. Scores map to A through F bands. The full scoring rubric is published — we don't keep it secret.
    How often is this dashboard updated?+
    The dashboard re-reads its source-of-truth aggregate every few minutes. Individual server scans are re-run when their version changes, when a new rule ships, or on demand from the public registry.
    Can I scan a private MCP server?+
    Public scans are free and require no account. Private repository scanning is available on paid plans — see the pricing page for details.
    Can I cite or embed this data?+
    Yes — the dataset is intended to be quoted in research, blog posts, and security write-ups. Please link back to this page and credit MCPSafe. An embeddable widget for partner sites is on the roadmap.