MCP Security Review
Everything we publish about MCP package security, and how to use it. Free public tools, an advisory feed, case studies, and continuous monitoring. If you need a report, repo dossier, disclosure path, or collaboration channel, the path is below.
State of MCP Package Security · April 2026
Primary research from continuous monitoring of 1,160 MCP packages. Score distribution, finding prevalence, capability surface, and three case studies. Shares a source with /api/ecosystem/stats for machine consumption.
Read the report →
Policy Gate
A GitHub Action that decides allow, warn, or block for each MCP package on every PR. One YAML block. Free for public repos. Auto-provisions via GitHub OIDC.
See the install →
Advisory Feed
Public advisories for MCP packages whose score or capability surface changes. Published as RSS and JSON so you can wire it into your alerting.
Read the feed →
Redis Case Study
Two days from our scan to every MCP dependency in RedisInsight pinned to exact versions, with a public maintainer quote.
Read the case →
Methodology
Our scanner, what it checks, what it cannot check, and how it maps against the OWASP MCP Top 10 framework.
See how it works →
Scan findings have led to real security fixes shipped by MCP server maintainers. See Redis and Agions case studies.
Contact routes
Use contact when you need one of four things: report a package, request a repo dossier, send a disclosure, or start a research collaboration around MCP package security.
The public tools come first. Contact exists for concrete follow-up paths, not to gate access to the dataset or the advisory record.