I audited 6,762 MCP servers. Here's the state of the ecosystem and the trust gap nobody's filling.

An independent audit of 6,762 Model Context Protocol (MCP) servers found that 42% earned an A or B grade while 38% scored D or F, with 13% of registry-listed servers unreachable. The audit, conducted by the developer behind wmcp.sh using an OWASP-MCP-aligned rubric across five dimensions, revealed that only about 1% of servers had confirmed security problems like prompt-injection or secret-exfiltration, but the larger issue is a lack of vettability and silent tool mutations after launch. The developer argues the ecosystem needs an independent, continuous trust layer rather than relying on the official MCP registry, which explicitly delegates security to downstream aggregators.

Originally published with live data at https://wmcp.sh/reports/state-of-mcp-security-2026 https://wmcp.sh/reports/state-of-mcp-security-2026 The Model Context Protocol exploded this year. Claude, Cursor, Codex, and a wave of agents now discover and auto-connect to MCP servers. Which raises a question nobody's answering: who's checking those servers are safe, reachable, and well-behaved before an agent hands them tool-call access? The official MCP registry deliberately doesn't. It authenticates namespaces and stores metadata, then explicitly delegates security and curation to "downstream aggregators." So trust in MCP is structurally unowned. I built an independent grader and ran it across 6,762 servers which is the largest audit of the ecosystem that I'm aware of. Here's what's there. The method An open, OWASP-MCP-aligned A–F rubric across five dimensions: spec conformance, security, reliability, tool hygiene, and transparency. It covers remote servers by connecting and inspecting their real MCP surface and stdio servers distributed as npm/pypi packages by statically analyzing their published source . Grades are free and identical whether or not the operator pays — that independence is the whole point. What's actually out there MCP is overwhelmingly developer infrastructure. Developer Tools is the largest category by 2x 1,020 servers , followed by Finance & Crypto 581 , AI & ML 408 , Databases 396 , and Cloud & DevOps 372 . Consumer-facing categories are thin. If you're building for agents, you're mostly building for developers right now. 42% earn an A or B; 38% land at D or F. The security news is better than the headlines suggest — only ~1% of servers exposed a confirmed problem prompt-injection / hidden-instruction markup or secret-exfiltration file paths embedded in tool descriptions — text an agent reads and may act on . The real gap is vettability and rot. 13% of registry-listed servers are simply unreachable — dead or unmaintained. And of the live ones, many can't be vetted from the outside at all: no OAuth resource metadata RFC 9728 , untyped tool schemas. An agent has no safe way to know what a server will do before connecting. And tools mutate silently after launch — the CVE-2025-54136 "rug-pull" class. A server you vetted last week can ship a renamed or malicious tool today. Static scans miss this entirely; it needs continuous re-verification. We hash each server's tool set and re-check on a schedule. Why this matters As agents move from "suggest" to "act," "trust before connect" stops being optional. The ecosystem needs an independent, continuous, cross-client trust layer — the FICO/SSL-Labs of MCP — not a one-time scan and not a registry that punts. That's what I'm building at wmcp.sh: a free A–F trust grade for every MCP server, continuously watched for drift, plus the same idea extended to two more connection types — WebMCP in-browser agents and captured REST turn any site's undocumented internal API into agent tools . If you run an MCP server: grade it free at https://wmcp.sh/mcp/grade https://wmcp.sh/mcp/grade , make sure it's reachable and transparent, and embed the badge so users know you're audited. The full report live data : https://wmcp.sh/reports/state-of-mcp-security-2026 https://wmcp.sh/reports/state-of-mcp-security-2026