We Analyzed the Security of MCP Servers in Our Index — Here Is What the Data Shows
We scored over 1,000 MCP servers and AI agent tools on security. 52.8% earned a score of 2/5 or below. Here are the patterns we found, the tools that passed, and how to use this data.
Security is SkillsIndex's core differentiator. Every other MCP directory lists tools. We score them. The security dimension — 30% of our overall score — reflects an analysis that no other AI tools directory currently performs at this scale.
Here is what we found after scoring over 1,000 tools in our index.
The Headline Number: 52.8%
Of the 1,000 tools in our index with explicit security scores, 52.8% earn a score of 2/5 or below. This is our "caution" threshold — tools that require manual review before installation in any production or sensitive context.
The Distribution
| Security Score | Count | % of scored tools | Meaning |
|---|---|---|---|
| 1/5 | 8 | 0.8% | High risk — do not install without thorough audit |
| 2/5 | 520 | 52.0% | Caution — review before installing in sensitive contexts |
| 3/5 | 97 | 9.7% | Acceptable — minor concerns, monitor for updates |
| 4/5 | 3 | 0.3% | Good — well-maintained, minor improvements possible |
| 5/5 | 372 | 37.2% | Excellent — use with confidence |
Note the gap between 4/5 and 5/5: tools tend to either pass all our criteria cleanly (5/5) or fall short on multiple dimensions (2/5). The middle is rare. This bi-modal distribution suggests that security practices in the MCP ecosystem are not a spectrum — teams either adopt security standards comprehensively or not at all.
The 5 Most Common Security Red Flags
1. Unmaintained Dependencies (Most Common)
The most frequent issue: a server that works correctly but has pinned dependencies from 12–24 months ago. Many of those packages have disclosed CVEs that were patched in newer versions. The risk is not immediate data exfiltration — it is that a known vulnerability in a dependency chain is exploitable if the server processes untrusted input.
How to check: Run npm audit or pip-audit against any MCP server's dependency tree before installing.
2. Excessive Permission Requests
Some MCP servers request file system access, network access, and process execution simultaneously — even when their stated purpose is narrow (e.g., "read your calendar"). Principle of least privilege is not consistently applied in the ecosystem.
How to check: Read the tools() definition in the server's source code. Each tool should declare its required permissions explicitly. If a calendar tool requests read_file access, ask why.
3. Closed-Source Binaries
A small but meaningful minority of MCP servers distribute pre-compiled binaries without source code. We cannot audit what these send over the network. We score them 1/5 by default regardless of other signals — an unauditable binary has an unknowable security profile.
4. Hardcoded Credentials or API Key Logging
Less common but highest-severity when present: servers that log API keys passed through MCP context, or that have hardcoded credentials in their source. We found 8 tools scoring 1/5 that exhibit this pattern.
5. No Version Pinning in Install Instructions
A server's current version might score 5/5. A future version might not. If the install documentation tells you to run npx @server/latest without a version pin, you are exposed to supply chain attacks via future versions of the package.
The 5 Safest Tool Categories
Based on our scoring data, these categories consistently earn the highest security scores:
- Database MCP servers (official vendor versions) — Supabase, Google, MongoDB, Qdrant all maintain security-first server implementations
- Browser automation from established projects — Chrome DevTools MCP (backed by the Chromium project's tooling), Firecrawl (funded startup with a security team)
- Official platform MCP servers — GitHub, AWS, Hashicorp, Kubernetes connectors from the platform vendors themselves
- Framework-layer tools — FastMCP, Claude Task Master — tools that help you build MCP servers rather than connect to external services
- Memory and knowledge tools — cognee, hindsight — tools from teams that understand that their product is trusted with sensitive user data
Tools That Earn a Perfect 5/5
Representative examples of perfect-scoring tools in our index:
- MCP Toolbox for Databases (Google) — 5/5 · 94/100 overall
- GitHub MCP Server (GitHub) — 5/5 · 100/100 overall
- Chrome DevTools MCP — 5/5 · 100/100 overall
- AWS Labs MCP — 5/5 · 88/100 overall
- Terraform MCP Server (Hashicorp) — 5/5 · 88/100 overall
The pattern is consistent: official tools from companies with security infrastructure pass our audit. Independent tools from individual developers can pass too, but require more scrutiny.
How to Read Our Security Score
Every tool page on SkillsIndex shows the security score (0–5) alongside the overall score (0–100). If we scored a tool on security, you will see a badge. Tools without a security score have not yet been audited — treat them with the same caution as a 2/5.
Our security audit methodology is open: we check (1) permission scope, (2) dependency hygiene, (3) code transparency, and (4) maintenance of security patches. No subjective opinion. No sponsorships influence the scores.
Enjoyed this?
Get the next issue of The Weekly Index delivered to your inbox every Thursday.