SECURITY RESEARCH We Scanned 1,808 MCP Servers. 66% Had Security Findings. March 14, 2026 AgentSeal Team 14 min read 0 On a Thursday evening in February 2026, Alexey Grigorev sat down to save ten dollars a month on his AWS bill. He ran an AI coding agent to help consolidate some Terraform infrastructure. The agent found an old Terraform archive with production configs. It ran terraform destroy . In seconds, 2.5 years of course data for his 100,000-student education platform was gone. The RDS database, the VPC, the ECS cluster, the load balancers, and every automated snapshot. 1.9 million rows of homework submissions, projects, and leaderboard data, wiped. He got lucky. AWS support found a hidden snapshot and restored the database within 24 hours. Most people won't be that lucky. This wasn't a sophisticated attack. Nobody hacked anything. A developer gave an AI agent access to infrastructure tools and approved a destructive action without fully understanding what would happen. The tools worked exactly as designed. The agent did exactly what it was told. That's the problem. The new attack surface Over the past year, the Model Context Protocol has gone from an interesting idea to the default way AI agents connect to the outside world. MCP servers give your AI agent access to files, databases, APIs, email, Slack, GitHub, and essentially anything else you can connect to an HTTP endpoint. Anthropic designed the protocol. Every major AI coding tool adopted it. There are now over 16,000 MCP servers in the ecosystem, up from 714 in January 2025. Almost nobody is auditing them before connecting. The AgentSeal MCP Security Registry was developed to analyze this ecosystem at scale. Over the past several months, 1,808 MCP servers have been scanned and analyzed. Each one was connected to, every tool it exposes was enumerated, tool descriptions and schemas were analyzed, configurations were checked, and the full detection pipeline was run. Here is what the data shows. What the data shows Out of 1,808 servers scanned: 1,196 servers (66%) had at least one security finding 8,282 total findings across the ecosystem 427 critical severity findings 1,841 high severity findings 16,840 tools analyzed across all servers Findings are generated at the tool level, not the server level. A single server exposing 20 tools may have findings on multiple tools. The 8,282 number represents individual tool-level issues, not unique servers. The breakdown of critical and high severity findings by category: Category High Critical Total % Code Execution 873 36 909 40.1% Toxic Data Flows 509 334 843 37.2% Data Exposure 52 20 72 3.2% Prompt Injection 40 11 51 2.2% File System Access 17 0 17 0.7% Other 350 26 376 16.6% Code execution risks were the most common. These are tools whose descriptions or configurations enable arbitrary command execution on the host machine. Toxic data flows were second, and arguably more dangerous, because they involve capability combinations across multiple servers that create attack chains. A server that reads Slack messages piped to a server that writes files creates a data exfiltration path, even if neither server is malicious on its own. The average trust score across all scanned servers is 85.7 out of 100. That number looks reassuring until you look at the distribution: Trust Score Distribution (1,808 servers) 90-100 ████████████████████████████ 1,021 servers (56.5%) 70-89 ██████████████████████ 753 servers (41.6%) 40-69 █ 34 servers (1.9%) The safe servers pull the average up, while a tail of 34 servers with scores between 40 and 69 contains the most severe findings: unrestricted filesystem access, hardcoded credentials, and tool descriptions with embedded instructions. 590 servers have not yet received a trust score and are pending deeper analysis. Methodology The scan covered 1,808 MCP servers discovered through GitHub repositories, npm and PyPI packages implementing the MCP protocol, public MCP registries including Smithery and MCP.run, and community directories. For each server: Connected to the MCP endpoint over stdio or SSE transport Enumerated all exposed tools, prompts, and resources Collected tool descriptions and input schemas Ran a four-layer detection pipeline: Pattern signatures : regex-based detection of known malicious patterns, including Base64 payloads, shell command patterns, and credential references Deobfuscation : stripping Unicode tag characters (U+E0001-E007F), zero-width characters (U+200B/200D), variation selectors, and BiDi control characters before re-analysis Semantic analysis : comparing tool descriptions against known attack patterns using sentence embeddings (all-MiniLM-L6-v2, cosine similarity threshold 0.72) LLM classification : deep review of suspicious findings using Claude Opus for context-aware severity assessment Mapped cross-server data flows by constructing a capability graph of tool inputs and outputs to identify toxic capability combinations Computed SHA-256 hashes of tool ...