MCP Server Security in 2026: We Scored 10,631 Servers — Here Is What We Found
We scored 10,631 AI tools on security. 52.8% score 2/5 or below. Here are the specific risk patterns to watch for and a checklist for safely vetting MCP servers before installation.
SkillsIndex has scored 10,631 AI tools on a 5-point security scale. The finding is stark: 52.8% of scored tools score 2 out of 5 or below — meaning they exhibit one or more patterns that security-conscious users should treat as a red flag.
This is not a reason to avoid MCP servers. Most risks are avoidable with basic vetting. This article explains what we look for and how to apply the same criteria yourself.
The Security Score Distribution
From our analysis of 10,631 scored tools:
- Score 5/5: 3,290 tools (30.9%) — Clean code, minimal permissions, actively maintained
- Score 4/5: 61 tools (0.6%) — Minor issues, generally safe
- Score 3/5: 1,403 tools (13.2%) — Some concerns, use with awareness
- Score 2/5 or below: 5,877 tools (55.3%) — At least one significant risk pattern
The bimodal distribution (mostly 5/5 or mostly ≤2/5) reflects two distinct populations: professionally-maintained official servers vs. quickly-built community experiments.
The 5 Most Common Security Risk Patterns
1. Overly Broad File Permissions
Risk: The server requests access to large portions of the filesystem (home directory, root) when it only needs a specific folder.
Example: An MCP server for reading markdown notes requesting allowedDirectories: ["/"] instead of ["/Users/you/Notes"].
How to check: Review the default configuration in the README. If the example config uses / or ~ as the allowed path without explanation, treat it as a red flag.
2. Unsanitized Shell Execution
Risk: The server uses exec(), spawn(), or eval() with parameters that come from the AI's tool calls — potentially allowing prompt injection to execute arbitrary commands.
How to check: Search the source code for exec(, spawn(, eval(, and subprocess.run(. If they appear near variables that come from tool arguments, verify that all inputs are sanitized.
3. Unprotected API Key Exposure
Risk: The server logs API keys, passes them in URLs, or transmits them to analytics endpoints.
How to check: Search the code for console.log, logger.info, and any HTTP calls that might include the API key. Environment variables should only appear in connection setup, not in logs.
4. No Rate Limiting
Risk: A server with write access and no rate limiting can be prompted into making thousands of API calls or filesystem writes if the AI misinterprets a request.
How to check: Look for rate limiting logic in the server's tool handlers. Official servers typically include explicit rate limiting; community servers often do not.
5. Abandoned Maintenance
Risk: Servers with no commits in 6+ months and open security issues accumulate unpatched vulnerabilities.
How to check: GitHub "last commit" date and the number of open issues. SkillsIndex's maintenance score automatically flags this.
Quick Security Checklist Before Installing Any MCP Server
- ☐ Check the SkillsIndex security score — aim for 4/5 or higher
- ☐ Prefer official or verified servers (102 official servers in our index, 94% score 4–5/5)
- ☐ Review the default config — no root or home directory access
- ☐ Check last commit date — within the last 90 days ideally
- ☐ Search source code for
exec(andeval(near tool arguments - ☐ Verify the server does not transmit your data to external endpoints you did not authorize
- ☐ Start with read-only access before adding write permissions
The Safest MCP Servers (Official & High-Scored)
Official servers from major vendors consistently score 4–5/5:
- GitHub MCP Server (100/100) — maintained by GitHub →
- Filesystem MCP Server (94/100) — maintained by Anthropic →
- Brave Search MCP (94/100) — official Brave integration →
- Puppeteer MCP Server (94/100) — well-maintained community server →
Frequently Asked Questions
How does SkillsIndex score MCP server security?
Our security scoring analyzes source code for dangerous patterns (exec(), eval(), broad permissions), checks authentication implementation, reviews permission scope requests, and factors in maintenance activity. The result is a 5-point score with detailed notes on what was found.
What percentage of official MCP servers are safe?
94% of the 102 officially-maintained MCP servers in SkillsIndex's index score 4–5/5 on security. Official servers from Anthropic, GitHub, Stripe, and Google receive the most scrutiny and have the most reliable security postures.
Can an MCP server steal my data?
A malicious or poorly-written MCP server could access more data than intended if given broad permissions. This is why vetting before installation matters. No confirmed cases of malicious MCP servers have been reported as of early 2026, but the attack surface grows as the ecosystem expands.
Should I run MCP servers in a sandbox?
For servers with filesystem or shell access, running in a Docker container or VM provides additional isolation. For typical developer use with well-scored servers, local installation is generally safe.
What is the most dangerous type of MCP server?
Servers that combine filesystem write access with shell execution capabilities and lack input sanitization pose the highest risk. Any server scoring 1–2/5 on SkillsIndex's security scale should be treated with significant caution or avoided entirely.
Enjoyed this?
Get the next issue of The Weekly Index delivered to your inbox every Thursday.