Research Report · April 2026

State of MCP Package Security

Primary research from continuous monitoring of 855 Model Context Protocol packages published to npm. This report summarises what 8,888 scans across that set reveal about the ecosystem's score distribution, finding prevalence, capability surface, and real maintainer response patterns. Numbers generated from our live dataset at /api/ecosystem/stats on 2026-04-24.

855

Packages monitored

8,888

Scans on record

90.7

Mean score

median 95

Public advisories

7 high / 4 low

Where the ecosystem stands

The headline is that most published MCP packages score well. Out of 855 scored packages, mean score is 90.7 of 100 and the median is 95. Risk categorisation is dominated by LOW (720 packages, 84%), with a long tail of packages at ELEVATED or worse that represents the material supply-chain surface a consumer actually has to worry about.

Risk distribution

LOW

720 (84%)

MODERATE

110 (13%)

ELEVATED

21 (2%)

HIGH

4 (0%)

CRITICAL

0 (0%)

Score distribution

90-100

615

80-89

133

70-79

60-69

50-59

40-49

30-39

20-29

10-19

0-9

Interpretation: the concentration at 90-100 reflects the MCP ecosystem's current publisher skew. Most packages are small, recent, and do not bundle risky behaviours. The packages below 70 are what the Policy Gate is designed to catch before they land in a repo.

What the scanner finds most

Across the most recent 500 scans, the scanner produced 626 findings total (83% of scans returned at least one finding). The most common finding is the absence of provenance attestations — a verifiability gap, not a vulnerability. The tail is where real security issues concentrate.

Finding type	Count	Share
no_provenance	387	62%
no_repository	71	11%
command_injection	68	11%
install_script	67	11%
unsafe_eval	15	2%
excessive_dependencies	7	1%
no_license	6	1%
sensitive_file_access	3	0%
hardcoded_secret	2	0%

Finding severity distribution

critical

high

12%

medium

12%

474

low

76%

Severity reflects scanner v2.1 context-aware downgrade. Findings flagged by a regex match are reduced in severity when a known sanitizer wrapper (e.g. validateCommand, execFile with array args) or a test-fixture context is detected within the same code region. This removes the bulk of false positives that would otherwise dominate the HIGH column.

Capability surface across the ecosystem

Capability classification runs across MCP tool definitions extracted from each package's source. These are the powers a consuming agent inherits when it installs a package. 534 monitored packages have classified capability surfaces on file. The counts below are packages with that capability present (a single package can declare many).

search_index

292

database_access

176

network_egress

162

email_messaging

138

filesystem_read

109

secrets_access

104

memory_state

browser_automation

repo_read

cloud_infra

filesystem_write

shell_exec

The distribution is instructive for consumers: a majority of classified packages declare either search, database, network, or email capabilities, which means installing an arbitrary MCP server by default grants at least one of those powers to any agent using it. The Policy Gate surfaces capability additions between versions so a consumer can decide whether a v1.4 → v1.5 bump that adds email_messaging was intended.

Install-script prevalence

Of 711 recently scanned packages, 64 (9%) publish at least one install-time script (preinstall, postinstall, or install). Most are benign (version banners, setup scripts), but the pattern is a classic supply-chain vector: any code in those scripts executes on npm install before the consumer has a chance to inspect the package. For MCP consumers who run agents in production, install-script packages deserve a manual review step.

Advisory cadence

AgentScore publishes public advisories when a monitored package materially worsens (score drop, new high-severity finding, new capability addition that changes the trust envelope). A total of 11 advisories have been published to date: 7 high-severity and 4 low-severity. Recent publications:

2026-04-10lowagent-recall-mcp
2026-04-11highlocal-mcp
2026-04-13high@opentabs-dev/mcp-server
2026-04-17high@planu/cli
2026-04-18highvexp-cli
2026-04-22high@planu/cli
2026-04-22highidea-manager
2026-04-23highopenchrome-mcp
2026-04-23lowmemorix
2026-04-23lowsemiotic

Machine-readable advisory feed: /security/advisories (HTML) and /security/advisories/rss.xml (RSS).

Case studies from this period

Numbers describe the ecosystem's shape. Cases describe how it actually responds when a finding lands in front of a maintainer. Three from the reporting period:

Redis pinned every MCP dependency after our scan

Five MCP packages installed via unpinned npx -y in RedisInsight. Two days from our scan report to redis/RedisInsight#5763 closed with every MCP version pinned.

Full case study →

Agions shipped security fixes to taskflow-ai in 48h, then went further

HIGH command_injection and install_script findings. Maintainer released v3.0.2 in 48h with validateCommand wrapper, then v4.0.0 two days later with seven capabilities deleted from the tool surface. Four-day arc from scan report to architectural cleanup.

Full case study →

fa-mcp-sdk: live credentials in a published tarball

A published npm package shipping an entire config file of production secrets (OpenAI key, Active Directory password, Consul tokens, Postgres superuser credentials, JWT key). Five versions republished after our April 19 private disclosure still contained the same file. Escalated to security@npmjs.com on April 22. Disclosure window closes April 29. A standing reminder that scanner findings labelled "hardcoded_secret" are rare (0.3% of findings this period) but consequential when real.

What this means for MCP consumers

Pin your MCP dependencies. npx -y and unpinned npm specs pull whatever is latest at install time. Any maintainer compromise propagates without warning. This is the Redis lesson.
Re-evaluate capability changes at bumps. A v1.4 to v1.5 patch that adds email_messaging, filesystem_write, or shell_exec is a scope change, not a routine update. The Policy Gate surfaces these automatically.
Treat install scripts as a manual-review gate. 9% of packages in this sample publish one. Most are benign. The Policy Gate flags their presence so a human decides.
Watch the advisory feed. Score drops and finding additions on packages already in your inventory are the early-warning signal. RSS: /security/advisories/rss.xml.

Methodology

Discovery sweeps npm via keyword search (keywords:mcp-server, keywords:model-context-protocol), broad text search filtered to MCP-relevant results, and dependency-reverse search across several MCP SDKs (@modelcontextprotocol/sdk, fastmcp, mcp-framework, @mcp-ui/server). Enrollment requires a minimum weekly-downloads threshold. Enrolled packages are rescanned on a continuous cadence, with real-time change detection via the npm registry feed. The scanner is static analysis only: it downloads published tarballs, analyses metadata and source in memory, and does not execute code or inspect runtime behaviour. Full methodology including finding definitions, severity rules, and OWASP MCP Top 10 coverage map is at /methodology. The underlying dataset is queryable at /api/ecosystem/stats (JSON, revalidated hourly). Findings sample size for distribution tables: 500 most recent scans. Full scan count to date: 8,888.

Use the Policy Gate in your repo

One YAML block. Free for public repos. Auto-provisions via GitHub OIDC.

Install the Policy Gate Get the JSON

Report generated 2026-04-24. Watch feed last updated 2026-04-24.