July 12, 2026

Stars, scares, and sketchy servers

The State of MCP Security [pdf]

Fans of the biggest AI add-ons are freaking out after a report says the famous ones may be the shadiest

TLDR: A major scan found hundreds of AI tool servers with serious safety problems, including some of the most popular ones. The community reaction was blunt: trust in big-name tools is collapsing, and commenters are bragging that building their own locked-down setups feels safer than relying on "slopped out" public options.

The new Canopii report reads like a horror movie for anyone plugging extra tools into AI assistants: more than 11,000 MCP servers were scanned, and 830 flunked badly. Even juicier? Some of the most popular, most-starred names were the ones getting dragged, with big shiny GitHub fame apparently meaning less safety, not more. The report says some tools could run dangerous commands, some secretly changed what they do after approval, and hundreds appeared to hand out tools to anonymous visitors despite claiming they needed a login. In plain English: the stuff people trusted most may be the stuff they should've side-eyed hardest.

And the community mood? Pure "I KNEW IT" chaos. The standout reaction came from user shitloadofbooks, who basically said they got so fed up with other people's "slopped out MCPs" and the constant fear of a future enterprise pricing rug pull that they built their own guarded middleman just for peace of mind. That one comment captures the whole vibe: trust is dead, DIY is in, and everyone thinks someone is trying to sneak something past them. The jokes practically write themselves — the "famous" servers are being treated like sketchy celebrities, and the term rug pull is doing overtime. The hot take of the day: in this ecosystem, a lot of people now seem to believe the safest tool is the one you painfully babysit yourself.

Key Points

  • Canopii says it scanned 11,524 published MCP servers and found 830 servers serious enough to receive D or F grades.
  • The report says popular MCP servers were more likely to be high-risk, with servers above 1,000 GitHub stars showing an 18.7% high-risk rate and 6 of the 15 most-starred servers graded D or F.
  • Static analysis confirmed 232 servers with dangerous sinks, including 141 arbitrary code eval cases, 69 command injection cases, and 42 unsafe deserialization cases.
  • The report identifies additional exposure beyond confirmed sinks, including 1,625 servers with unresolved path-traversal patterns and 952 with potential SSRF.
  • Supply-chain findings include 78% of checked servers with unpinned dependencies, 1,617 with known vulnerable dependencies, 260 running install scripts, 7 typosquat packages, and 184 versions that changed tool definitions after publication.

Hottest takes

"blatent rugpull towards 'enterprise pricing' waiting to happen" — shitloadofbooks
"slopped together an MCP Proxy" — shitloadofbooks
"other people's slopped out MCPs" — shitloadofbooks
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.