AgentScore is for sale. View the assets and acquisition details →

Research · AgentScore telemetry

What autonomous agents actually check before they trust an MCP package

A note from AgentScore's own telemetry, June to July 2026.

AgentScore runs a public API that answers one question for an AI agent: is this MCP package safe to install and use? Over the last five weeks, without any marketing, a handful of autonomous agents found that API and wired it into their own loops. This note reports what they checked. It is a small sample and we say so up front. It is also the first direct measurement we have seen of the question, so it is worth writing down.

The window

Between June 1 and July 6, 2026, nine distinct external machine callers reached the verdict, scan, exposure, and monitor endpoints, five of them across multiple days and four as single-day trials. Together they made 1,508 API calls checking 42 distinct packages. Every caller is an anonymized, salted-hash fingerprint; we cannot and do not identify who they are. This is organic adoption of the primitive, not a customer base and not revenue. N is small. Read it as a signal, not a survey.

The finding: agents check the popular official stack, not the obscure long tail

The intuition about supply-chain risk is that you scrutinize the sketchy, unknown packages. The data says the opposite. Of all the package-checks in the window, 71 percent landed on the eleven official @modelcontextprotocol servers. The three most-checked packages, server-github, server-filesystem, and exa-mcp-server, accounted for 79 percent of all checks between them.

PackageChecksDistinct agents
@modelcontextprotocol/server-github6194
@modelcontextprotocol/server-filesystem3235
exa-mcp-server2365
@modelcontextprotocol/server-memory604
@modelcontextprotocol/server-postgres191
@modelcontextprotocol/server-sequential-thinking132
@modelcontextprotocol/server-slack81
@modelcontextprotocol/server-brave-search71
mcp-server-firecrawl71

Eight packages were independently checked by two or more separate agents, converging on the same core: exa-mcp-server and server-filesystem (five agents each), then server-github and server-memory (four each). Different operators, no coordination, same short list.

Why it matters

Agents check what they install, and what they install is the popular official stack. That inverts the usual supply-chain framing. The concentration of real-world agent trust-checking is not on the obscure packages a scanner is built to catch; it is on the small set of widely-installed servers that sit inside almost every agent. Which is precisely where a single compromise would propagate furthest. The packages least suspected are the ones most worth watching, because they are the ones everyone runs.

A second, smaller pattern: agents also route plain npm dependencies through the same check (axios was verified by four separate agents), and several pointed the scanner at itself. The trust question, once an agent has a tool for it, gets asked about the whole dependency surface, not just the flagged names.

The honest boundary

This is nine anonymous callers over five weeks. It is not a market, and one retained consumer is not product-market fit. What it is: a direct, instrumented look at what the trust question looks like when an autonomous agent asks it in production, unprompted. As agents take on more of their own tool selection, that question gets asked more often, by more of them, about the same concentrated core. This is the first data point. We will publish the next one when the sample is larger.

Built by AgentScore. Methodology and the live scanner at agentscores.xyz. Figures are a point-in-time snapshot of API telemetry for June 1 to July 6, 2026.