cd /news/ai-agents/we-ran-a-live-mcp-handshake-against-… · home topics ai-agents article
[ARTICLE · art-49362] src=mcpexplorer.com ↗ pub= topic=ai-agents verified=true sentiment=↓ negative

We ran a live MCP handshake against 995 servers. Only 39 are verified

On July 4, 2026, MCPExplorer ran a live handshake against 995 MCP servers in its index, finding only 277 (28%) responded and 39 (4%) met its verification bar. Among responding servers, 59% exposed at least one write-capable tool and 67 had destructive tools, highlighting security risks in the MCP ecosystem. The directory now tracks over 1,600 servers with 700+ passing handshakes, but maintains a strict verified set based on provenance, maintenance, and live inspection.

read4 min views1 publishedJul 7, 2026
We ran a live MCP handshake against 995 servers. Only 39 are verified
Image: source

blog/ state-of-mcp-security MCP servers give agents tools, and tools act on real accounts. We wanted to know how many of the servers in our index actually work, and how many we would connect to an agent ourselves. On July 4 we ran a live MCP handshake against all 995 of them, extracted the tool lists of the ones that answered, and scored the results. 277 answered. 39 met our bar.

Note: these figures are a snapshot of the July 4, 2026 scan. The index has since grown past 1,600 servers, with 700+ passing a live handshake. The reports page tracks the live numbers.

995 servers, 277 answered #

Of 995 indexed servers, 277 (28%) completed a live tools/list

handshake. For the remaining 72% nobody — including us — has connected and confirmed what they expose. Some are dead, some never ran, some are repos that describe a server rather than implement one. Whatever the reason, a server you can't inspect is a server you can't make claims about, in either direction.

What the reachable ones expose #

Among servers whose tools we could read, 59% expose at least one tool that writes: it changes data, sends something, or deletes something. 67 servers expose a tool we classify as destructive. Across all 3,565 extracted tools, the split is 41% read-only, 26% write, 6% destructive, and 26% that our rules couldn't classify. We count unclassified as write until shown otherwise, because that's the conservative assumption when an agent is on the other end.

From 995 to 39 #

The other filters that remove servers from consideration:

467 have unknown provenance. We can't establish who ships them.113 have had no commit in over a year.175 score in the range we label “needs caution.”

After all of it, 39 servers — about 4% — pass a live handshake, have every tool extracted and risk-labeled, and score 60 or higher on a trust model whose factors are published (provenance, verification, maintenance, adoption). That set is what we call MCPExplorer Verified.

Things we found in the tool surface #

Numbers below are from queries against the live index this morning (July 7), which is larger than the July 4 scan set.

  • The median server exposes 7 tools. The largest exposes** 622**(AdButler's hosted server— roughly one tool per API operation). An agent given that server gets 622 callable functions in one mount. 517 servers answer the handshake with a 401/403. An auth wall is good practice, but it also means nobody can independently confirm what's behind it — those listings are vendor claims until someone connects with credentials.30 different servers expose a tool named exactlysearch

. Mount a few of them at once and your agent is choosing between identically-named tools with different semantics. Tool-name collisions are going to be a real problem.- Destructive tool names sitting in the wild, verbatim: delete_instance

,cancel_order

,revoke_api_key

,wipeLogs

. None of them are wrong to exist. All of them are things you'd want to know about before an agent does.

Why we run the directory this way #

Most directories index READMEs. That works for discovery, but a README can't tell you whether a server is alive, what its tools do, or who maintains it. We think the useful product is the filter rather than the list, so the handshake, extraction, labeling, and scoring run continuously, and the Verified set stays small because the bar doesn't move.

Method #

Every server gets a real MCP tools/list

handshake: remote servers over the network, local/stdio servers in a sandbox with no secrets, no host mounts, and memory/CPU/PID limits. Extracted tools are labeled read / write / destructive by deterministic rules. Trust is computed from named factors, and every server's page shows the arithmetic, so you can check our work: Apex · GitHub · Context7.

The report is also reproducible over the protocol it measures. Our own MCP server is free and needs no auth — add https://mcpexplorer.com/mcp

to any MCP client and call get_ecosystem_stats

to re-run today's numbers, or check_trust

on any server in this post.

This report is a snapshot. The evergreen version — the six real risks and the vetting checklist we run — is in the MCP security guide.

MCPExplorer connects to every server, extracts and risk-labels its tools, and scores its trust — so you install from the handful that earn Verified, not the 995 that don't.

── more in #ai-agents 4 stories · sorted by recency
── more on @mcpexplorer 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/we-ran-a-live-mcp-ha…] indexed:0 read:4min 2026-07-07 ·