Pith. sign in

REVIEW 3 major objections 68 references

MCP security scanners flag nearly all runtime servers as risky, but those alerts are not reliable enough for ecosystem claims.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-14 07:09 UTC pith:XGPZ4SV7

load-bearing objection Large runtime MCP corpus plus a multi-scanner reliability audit that actually lands; the 96.89% headline is a union statistic and the precision sample is imperfectly matched to it, but the unreliability conclusion still holds. the 3 major comments →

arxiv 2607.11086 v1 pith:XGPZ4SV7 submitted 2026-07-13 cs.CR

Rethinking MCP Security: A Large-Scale Study of Runtime MCP Servers and Security Scanner Reliability

classification cs.CR
keywords Model Context ProtocolMCP serversagent securitysecurity scannersruntime analysisscanner reliabilityMCPZoo
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper argues that real-world claims about Model Context Protocol (MCP) server security have been built on shaky measurements. Because large numbers of live MCP servers did not previously exist for testing, researchers and practitioners leaned on scanners run on small samples, without knowing how often those scanners were right. The authors build MCPZoo by turning tens of thousands of public repositories into running services through a multi-agent loop that infers environments, deploys containers, repairs failures from logs, and accepts only servers that complete real protocol handshakes and tool listings. On more than 37,000 interactable servers, eight scanners together flag about 97 percent as risky; yet manual review finds average alert precision under 50 percent, scanners rarely agree with each other, and they catch only about a quarter of known CVE cases. The intended takeaway is not that MCP servers are safe, but that current scanning practice cannot yet support ecosystem-level security conclusions; a public query interface is released so users can inspect multi-scanner reports without treating any single alert as ground truth.

Core claim

On 37,288 interactable MCP servers, existing scanners report 96.89 percent as risky, yet those signals are unreliable: a stratified manual sample yields only 45.53 percent average precision, average pairwise Jaccard agreement across scanners is 15.66 percent, and scanners recover only 24.17 percent of a CVE-based ground-truth set. The paper therefore reframes the headline from “MCP servers are unsafe” to “current MCP security scanners are not yet reliable enough for ecosystem-level security claims.”

What carries the argument

MCPZoo: a multi-agent deployment framework (Generation, Verification, and Diagnosis agents) that converts in-the-wild repositories into Dockerized services, validates them with real MCP protocol interactions (stdio, SSE, Streamable HTTP), and yields 64,611 unique servers of which 37,288 support dynamic analysis.

Load-bearing premise

The unreliability claim depends on a manual sample of roughly 100 flagged servers plus a ground-truth set of only 10 CVEs on 38 servers being representative of scanner precision and recall at full ecosystem scale.

What would settle it

A larger independent re-labeling of scanner alerts, or a substantially larger CVE-matched corpus, that showed average precision well above 80 percent, recall well above 70 percent, and high cross-scanner agreement would overturn the claim that scanners are unreliable for ecosystem-level conclusions.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Near-97 percent scanner-flag rates should not be read as evidence that nearly all MCP servers are vulnerable.
  • Ecosystem security measurement needs runtime-validated servers and validated scanners, not metadata-only checks on small curated sets.
  • Template-driven duplication and weak out-of-the-box deployment practices multiply the instances that inherit the same flaws.
  • Practical risk triage should surface multi-scanner agreement and validation status rather than treat single-scanner alerts as confirmed vulnerabilities.
  • Future scanners need evidence grounded in reachable runtime behavior, not capability keywords or unvalidated model inference alone.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Agent platforms that auto-install popular MCP servers may systematically over-block or under-protect users depending on which scanner they trust.
  • Markets that re-list near-identical template replicas will amplify both shared real flaws and clustered scanner false positives.
  • The same multi-agent deploy-and-verify loop could serve as a continuous-integration gate for MCP package registries.
  • Closing the precision–recall gap may require hybrid static data-flow analysis plus constrained dynamic probing rather than either style alone.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

3 major / 0 minor

Summary. The paper constructs MCPZoo, a large runtime-enabled corpus of MCP servers obtained by multi-source collection and a multi-agent Generation–Verification–Diagnosis pipeline that produces Dockerized deployments validated by real MCP protocol handshakes and tools/list. From 156,842 raw market entries it retains 64,611 unique servers, of which 37,288 are interactable (57.7% agent success). Using this corpus it characterizes ecosystem structure (cross-market overlap, 28.3% code-level duplication, weak native deployability, long-tailed tool exposure with 37.66% high-capability tools) and evaluates eight public MCP security scanners under fixed configs. Scanners flag 96.89% of interactable servers as risky by union, yet a dual-reviewed stratified sample of 100 flagged servers yields only 45.53% average precision, pairwise Jaccard agreement is 15.66%, and recall on a 10-CVE / 38-server ground-truth set is 24.17%. The authors conclude that current scanners are not reliable enough for ecosystem-level security claims and release a public query interface over normalized reports.

Significance. If the reliability result holds, the paper substantially revises how the community should interpret MCP scanner outputs and provides the first large, protocol-validated runtime substrate for MCP security measurement. Strengths include operational success criteria (JSON-RPC initialize + tools/list), dual-reviewer human validation of deployments (κ=0.95) and precision labels (κ=0.87), controlled multi-scanner execution with a fixed local LLM backend, and an external CVE-mapped recall set rather than circular self-scoring. The public query interface and the scale jump relative to prior dynamic studies (Table 1) are concrete contributions that other groups can reuse. The work is timely for agent-tool security and directly actionable for scanner developers and MCP market operators.

major comments (3)
  1. §5.3 / Table 7: The headline claim that scanners are unreliable for ecosystem-level claims is motivated by the 96.89% union risk rate (§5.2, Table 6) but supported by an unweighted average precision of 45.53% over stratified sampled alerts. High-volume low-precision scanners (A.I.G dynamic 10.40%, Agent-Scan 28.21%, mcp-armor 20.34%) dominate the union. The manuscript should report (i) volume-weighted or server-level precision of the union (or of majority-vote / multi-scanner agreement strata) and (ii) confidence intervals or bootstrap estimates for the 100-server sample, so that the precision of the quantity used in the abstract is estimated rather than only per-scanner averages.
  2. §5.3 / Appendix D (Table 10): The CVE ground-truth set comprises only 10 CVEs affecting 38 servers and is heavily skewed toward command injection and credential leakage. Overall recall of 24.17% is therefore informative but thin for the strong claim of limited recall on confirmed issues. Either expand the set (additional NVD/GitHub-mapped MCP CVEs or a small hand-crafted exploit suite with reachable paths) or explicitly bound the recall claim to the covered vulnerability types and avoid treating 24.17% as a general ecosystem recall figure.
  3. §6.2 Deployment Bias and §4.2: 42.3% of unique servers remain non-interactable; failures are dominated by external credentials and infrastructure coupling (63.6%). Dynamic scanners and the 96.89% figure are defined only on the deployable subset. The paper should quantify whether non-deployable servers differ systematically in tool capability, market origin, or static scanner flags (MCPScan / A.I.G static can still run on source), and state how this selection may bias the reliability conclusion toward easier-to-sandbox projects.

Circularity Check

1 steps flagged

No load-bearing circularity: scanner unreliability is measured against independent manual review and public CVEs, not against scanner outputs or MCPZoo construction heuristics.

specific steps
  1. self citation load bearing [Section 7 Related Work, final paragraph]
    "Our earlier MCPZoo preprint [63] introduced the initial dataset and automated deployment framework. This article extends that work with an expanded runtime corpus, ecosystem characterization, and a large-scale reliability evaluation and validation of MCP security scanners."

    The citation is to a prior arXiv by largely the same authors. It is not load-bearing: the scanner precision/recall/Jaccard results are newly measured on the expanded corpus against independent human labels and public CVEs, so the central claim does not reduce to the earlier preprint.

full rationale

This is an empirical measurement paper. The central claim (scanners flag 96.89% of 37,288 interactable servers as risky yet average sampled precision is only 45.53%, pairwise Jaccard is 15.66%, and CVE recall is 24.17%) is obtained by running eight external scanners on MCPZoo, then validating a stratified sample of 100 flagged servers by two independent human reviewers (Cohen’s κ=0.87) under an explicit true-positive rule requiring concrete reachable unsafe behavior, plus a separate 10-CVE/38-server ground-truth set drawn from NVD. None of these quantities is defined from, or fitted to, the scanners’ own scores or the multi-agent deployment loop that built MCPZoo. The only self-reference is the lineage note that an earlier preprint by overlapping authors introduced the initial MCPZoo dataset; that citation is not used to justify the reliability numbers, uniqueness of any method, or any prediction. Deployment success (57.7%) and tool-capability statistics are descriptive measurements, not predictions derived from fitted parameters. Consequently there is no self-definitional step, no fitted-input-called-prediction, no uniqueness theorem imported from the authors, and no ansatz smuggled via citation. Score 1 reflects only the minor, non-load-bearing self-citation of the prior preprint.

Axiom & Free-Parameter Ledger

4 free parameters · 4 axioms · 2 invented entities

This is an empirical systems/security measurement paper. Load-bearing choices are operational definitions (what counts as a valid MCP server and a successful dynamic deployment), tooling knobs (LLM model, retry budget, timeouts, scanner star threshold), and the external ground-truth construction for precision/recall—not free physical constants or new particles.

free parameters (4)
  • max_build_attempts
    Each server is given at most 5 iterative generation/diagnosis cycles; this hand-chosen budget directly affects the 57.7% dynamic success rate that defines the measurement population.
  • scanner_execution_timeout_and_iterations
    1500s timeout and ≤5 iterations per server (Section 5.1) truncate dynamic scanner behavior and can change coverage and reported risk rates.
  • scanner_selection_star_threshold
    Scanners with >200 GitHub stars are included; this ad hoc popularity cutoff defines which tools enter the reliability study.
  • LLM_backend_for_agents_and_scanners
    Qwen3-235B-A22B-Instruct is fixed for deployment agents and LLM-using scanners; results can shift with model choice, as the paper notes in limitations.
axioms (4)
  • domain assumption A server supports dynamic analysis iff a compliant MCP client completes initialize and receives a schema-compliant tools/list response over stdio/SSE/HTTP.
    Section 3.4.2 operationalizes deployability via protocol handshake rather than full semantic tool correctness; this defines the 37,288-server analysis set.
  • ad hoc to paper An alert is a true positive only when evidence shows concrete vulnerable behavior or a reachable unsafe data/control flow, not mere capability or suspicious wording.
    Section 5.3 precision protocol; this labeling rule drives the <50% precision conclusion and is stricter than many scanners’ own criteria.
  • domain assumption Public market crawls plus MCP library/signature filters yield a representative view of the real-world MCP server population after URL and code-level dedup.
    Sections 3.3 and 4.1; decentralized markets and template clones make completeness and uniqueness assumptions load-bearing for ecosystem claims.
  • domain assumption Standard container isolation and least-privilege sandboxing make large-scale execution of untrusted MCP servers ethically and operationally acceptable for measurement.
    Appendix A ethical mitigations; required to justify building and running the corpus.
invented entities (2)
  • MCPZoo multi-agent deploy/repair/verify pipeline (Generation, Verification, Diagnosis agents) no independent evidence
    purpose: Turn static in-the-wild MCP repositories into protocol-validated runtime services at scale.
    Core methodological construct of the paper; not independently evidenced outside this work’s deployment success metrics and small human audit.
  • Unified risk taxonomy (Prompt Injection, Command Execution, Data Leakage, Other) mapping heterogeneous scanner labels no independent evidence
    purpose: Enable cross-scanner comparison of reported risks.
    Appendix C mapping is author-defined harmonization; different mappings would change category-level Jaccard and prevalence tables.

pith-pipeline@v1.1.0-grok45 · 32314 in / 3346 out tokens · 48289 ms · 2026-07-14T07:09:02.100452+00:00 · methodology

0 comments
read the original abstract

The Model Context Protocol (MCP) has rapidly established itself as a standard interface for enabling LLM-based agents to interact with external tools and services. As MCP servers are increasingly entrusted with security-sensitive operations, understanding their real-world risks has become critical. In practice, due to the absence of large-scale runtime MCP servers, such understanding largely relies on security scanners applied to a small number of cases, yet the reliability of these assessments remains unclear. In this study, we revisit how MCP security is measured. We present MCPZoo, the largest collection of MCP servers for dynamic analysis to date. MCPZoo is constructed through a multi-agent framework for transforming in-the-wild static repositories into dynamic services. The framework emulates how human experts build, diagnose, and iteratively repair deployment and runtime defects by combining environment inference with feedback-driven refinement. To ensure practical interactivity at runtime, the servers are validated via real protocol interactions. As a result, MCPZoo contains 64,611 unique MCP servers (113,927 in total), with more than 37,288 supporting dynamic analysis. Leveraging MCPZoo, we conduct the first ecosystem-scale measurement of MCP servers and the scanners that analyze them. While existing scanners report that 96.89% of servers are risky, we find that these signals are unreliable. In particular, manual validation shows that less than 50% of sampled alerts are true positives, and scanner outputs exhibit clear inconsistency across scanners. Overall, MCPZoo enables large-scale, reproducible measurement of MCP server security and exposes limitations of current scanning practices. We further release a public query interface to support practical risk assessment of MCP servers.

Figures

Figures reproduced from arXiv: 2607.11086 by Baichao An, Binwang Wan, Geng Hong, Jiarun Dai, Jinsong Chen, Mengying Wu, Min Yang, Pei Chen, Xudong Pan.

Figure 1
Figure 1. Figure 1: Overview of the MCPZoo Construction and Analysis Workflow. [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: MCP Servers across Different Functional Domains. [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 2
Figure 2. Figure 2: GitHub star distribution of MCP server repositories. [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 4
Figure 4. Figure 4: Intersection Ratio Matrix of MCP Servers across 10 [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Tool Capabilities within Each Server Function. [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: The Relationship between MCP Tool Capabilities [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Scanner-Reported Risks within Different Types of [PITH_FULL_IMAGE:figures/full_fig_p010_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Pairwise Jaccard Similarity among All Scanners on [PITH_FULL_IMAGE:figures/full_fig_p012_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Pairwise Jaccard Similarity among Capable Scan [PITH_FULL_IMAGE:figures/full_fig_p018_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Pairwise Jaccard Similarity among Capable Scan [PITH_FULL_IMAGE:figures/full_fig_p018_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Pairwise Jaccard Similarity among Capable Scan [PITH_FULL_IMAGE:figures/full_fig_p018_11.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

68 extracted references · 1 canonical work pages

  1. [1]

    AIbase. 2025. AIbase MCP. https://mcp.aibase.com. Accessed: 2025-12

  2. [2]

    Aira Security. 2026. mcp-armor: MCP Configuration Scanner with Client-Aware Security Analysis. https://github.com/aira-security/mcp-armor

  3. [3]

    Ant Group. 2025. MCPScan: Security Analysis Tool for MCP Servers. https: //github.com/antgroup/MCPScan. GitHub repository. 13 Chen et al

  4. [4]

    Anthropic. 2024. Model Context Protocol (MCP) Specification. https://modelc ontextprotocol.io/docs/learn/architecture Accessed: 2025-12

  5. [5]

    Anthropic. 2025. Donating the Model Context Protocol and Establishing of the Agentic AI Foundation. https://www.anthropic.com/news/donating-the-model- context-protocol-and-establishing-of-the-agentic-ai-foundation. Official announcement

  6. [6]

    Yifeng Cai, Ziming Wang, Zhaomeng Deng, Mengyu Yao, Junlin Liu, Yu- tao Hu, Ziqi Zhang, Yao Guo, and Ding Li. 2025. Who Grants the Agent Power? Defending Against Instruction Injection via Task-Centric Access Control. arXiv:2510.26212 [cs.CR]

  7. [7]

    Olga Churakova, Mathias Ekstedt, and Valentina Lenarduzzi. 2025. VEXed: Does VEX Itself Need Security Fixes? arXiv:2503.14388 [cs.CR] https://arxiv.org/abs/ 2503.14388

  8. [8]

    Cisco AI Defense. 2025. mcp-scanner: MCP Security Scanner. https://github.c om/cisco-ai-defense/mcp-scanner. GitHub repository

  9. [9]

    Nicola Croce and Tobin South. 2025. Trivial Trojans: How Minimal MCP Servers Enable Cross-Tool Exfiltration of Sensitive Data. arXiv:2507.19880 [cs.CR] https: //arxiv.org/abs/2507.19880

  10. [10]

    Edoardo Debenedetti, Jie Zhang, Mislav Balunović, Luca Beurer-Kellner, Marc Fis- cher, and Florian Tramèr. 2024. AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents. arXiv:2406.13352 [cs.CR] https://arxiv.org/abs/2406.13352

  11. [11]

    Kazem Faghih, Wenxiao Wang, Yize Cheng, Siddhant Bharti, Gaurang Srira- manan, Sriram Balasubramanian, Parsa Hosseini, and Soheil Feizi. 2025. Tool Pref- erences in Agentic LLMs are Unreliable. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, Christos Christodoulopoulos, Tanmoy Chakraborty, Carolyn Rose, and Violet...

  12. [12]

    FastAPI. 2025. FastAPI. https://fastapi.tiangolo.com/. Official website

  13. [13]

    Mohamed Amine Ferrag, Norbert Tihanyi, Djallel Hamouda, Leandros Maglaras, Abderrahmane Lakas, and Merouane Debbah. 2026. From prompt injections to protocol exploits: Threats in LLM-powered AI agents workflows.ICT Express12, 2 (2026), 353–383. doi:10.1016/j.icte.2025.12.001

  14. [14]

    Muhan Gao, TaiMing Lu, Kuai Yu, Adam Byerly, and Daniel Khashabi. 2024. Insights into LLM Long-Context Failures: When Transformers Know but Don’t Tell. InFindings of the Association for Computational Linguistics: EMNLP 2024, Yaser Al-Onaizan, Mohit Bansal, and Yun-Nung Chen (Eds.). Association for Computational Linguistics, Miami, Florida, USA, 7611–7625....

  15. [15]

    GitHub. 2026. GitHub REST API Documentation. https://docs.github.com/en/rest. Accessed: 2026-02-06

  16. [16]

    Hechuan Guo, Yongle Hao, Yue Zhang, Minghui Xu, Peizhuo Lv, Jiezhi Chen, and Xiuzhen Cheng. 2025. A Measurement Study of Model Context Protocol Ecosystem. arXiv:2509.25292 [cs.CY]

  17. [17]

    Yongjian Guo, Puzhuo Liu, Wanlun Ma, Zehang Deng, Xiaogang Zhu, Peng Di, Xi Xiao, and Sheng Wen. 2025. Systematic Analysis of MCP Security. arXiv:2508.12538 [cs.CR] https://arxiv.org/abs/2508.12538

  18. [18]

    Mohammed Mehedi Hasan, Hao Li, Emad Fallahzadeh, Gopi Krishnan Rajba- hadur, Bram Adams, and Ahmed E. Hassan. 2026. Model Context Protocol (MCP) at First Glance: Studying the Security and Maintainability of MCP Servers. arXiv:2506.13538 [cs.SE] https://arxiv.org/abs/2506.13538

  19. [19]

    Xinyi Hou, Yanjie Zhao, Shenao Wang, and Haoyu Wang. 2025. Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions. arXiv:2503.23278 [cs.CR] https://arxiv.org/abs/2503.23278

  20. [20]

    Huihao Jing, Haoran Li, Wenbin Hu, Qi Hu, Xu Heli, Tianshu Chu, Peizhao Hu, and Yangqiu Song. 2025. MCIP: Protecting MCP Safety via Model Contextual Integrity Protocol. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, Christos Christodoulopoulos, Tanmoy Chakraborty, Carolyn Rose, and Violet Peng (Eds.). Association...

  21. [21]

    khesayed. 2025. ecommerce-store-mcp: A Model Context Protocol Server for E-commerce. https://github.com/khesayed/ecommerce-store-mcp

  22. [22]

    kocierik. 2025. mcp-nomad: A Model Context Protocol Server for HashiCorp Nomad. https://github.com/kocierik/mcp-nomad

  23. [23]

    Pratyay Kumar, Miguel Antonio Guirao Aguilera, Srikathyayani Srikanteswara, Satyajayant Misra, and Abu Saleh Md Tayeen. 2026. MCP-in-SoS: Risk assessment framework for open-source MCP servers. arXiv:2603.10194 [cs.CR] https: //arxiv.org/abs/2603.10194

  24. [24]

    Lasso Security. 2025. MCP Gateway. https://github.com/lasso-security/mcp- gateway

  25. [25]

    Xiaofan Li and Xing Gao. 2026. A First Look at the Security Issues in the Model Context Protocol Ecosystem. arXiv:2510.16558 [cs.CR] https://arxiv.org/abs/25 10.16558

  26. [26]

    Liu, Kevin Lin, John Hewitt, Ashwin Paranjape, Michele Bevilacqua, Fabio Petroni, and Percy Liang

    Nelson F. Liu, Kevin Lin, John Hewitt, Ashwin Paranjape, Michele Bevilacqua, Fabio Petroni, and Percy Liang. 2024. Lost in the Middle: How Language Models Use Long Contexts.Transactions of the Association for Computational Linguistics 12 (2024), 157–173. doi:10.1162/tacl_a_00638

  27. [27]

    MCP Market. 2025. MCP Market. https://mcpmarket.com/. Accessed: 2025-12

  28. [28]

    MCP Repository. 2025. MCP Repository. https://mcprepository.com/. Accessed: 2025-12

  29. [29]

    MCP Store. 2025. MCP Store. https://mcpstore.co. Accessed: 2025-12

  30. [30]

    MCP World. 2025. MCP World. https://www.mcpworld.com/. Accessed: 2025-12

  31. [31]

    Mcp.so. 2025. Mcp.so. https://mcp.so. Accessed: 2025-12

  32. [32]

    Kanghua Mo, Li Hu, Yucheng Long, and Zhihao li. 2026. Attractive Metadata Attack: Inducing LLM Agents to Invoke Malicious Tools. The Thirty-ninth Annual Conference on Neural Information Processing Systems. https://openre view.net/forum?id=oLGtPYdRzU

  33. [33]

    Model Context Protocol Community. 2025. Model Context Protocol Registry. https://registry.modelcontextprotocol.io/. Official MCP server registry

  34. [34]

    National Institute of Standards and Technology. 2025. CVE-2025-53818 Detail. https://nvd.nist.gov/vuln/detail/CVE-2025-53818. National Vulnerability Database

  35. [35]

    National Institute of Standards and Technology. 2025. CVE-2025-66580 Detail. https://nvd.nist.gov/vuln/detail/CVE-2025-66580. National Vulnerability Database

  36. [36]

    National Institute of Standards and Technology. 2025. CVE-2025-68669 Detail. https://nvd.nist.gov/vuln/detail/CVE-2025-68669. National Vulnerability Database

  37. [37]

    National Institute of Standards and Technology. 2026. CVE-2026-22793 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-22793. National Vulnerability Database

  38. [38]

    National Institute of Standards and Technology. 2026. CVE-2026-25546 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-25546. National Vulnerability Database

  39. [39]

    National Institute of Standards and Technology. 2026. CVE-2026-25650 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-25650. National Vulnerability Database

  40. [40]

    National Institute of Standards and Technology. 2026. CVE-2026-27825 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-27825. National Vulnerability Database

  41. [41]

    National Institute of Standards and Technology. 2026. CVE-2026-33946 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-33946. National Vulnerability Database

  42. [42]

    National Institute of Standards and Technology. 2026. CVE-2026-33980 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-33980. National Vulnerability Database

  43. [43]

    National Institute of Standards and Technology. 2026. CVE-2026-39884 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-39884. National Vulnerability Database

  44. [44]

    David Noever. 2025. Servant, Stalker, Predator: How An Honest, Helpful, And Harmless (3H) Agent Unlocks Adversarial Skills. arXiv:2508.19500 [cs.CR] https: //arxiv.org/abs/2508.19500

  45. [45]

    Nova Hunting. 2026. nova-proximity: MCP and Claude Skill Security Scanner. https://github.com/Nova-Hunting/nova-proximity

  46. [46]

    npm, Inc. 2026. npm Registry. https://www.npmjs.com/. Accessed: 2026-02-03

  47. [47]

    Pulse MCP. 2025. Pulse MCP. https://www.pulsemcp.com/servers. Accessed: 2025-12

  48. [48]

    Python Software Foundation. 2026. Python Package Index (PyPI). https://pypi.o rg/. Accessed: 2026-02-03

  49. [49]

    Brandon Radosevich and John Halloran. 2025. MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits. https://www.arxiv.org/ abs/2504.03767. arXiv:2504.03767 [cs.CR] MCPSafetyScanner

  50. [50]

    Partha Pratim Ray. 2025. A survey on model context protocol: Architecture, state-of-the-art, challenges and future directions. Authorea Preprints

  51. [51]

    Yi Ting Shen, Kentaroh Toyoda, and Alex Leung. 2026. MCPThreatH- ive: Automated Threat Intelligence for Model Context Protocol Ecosystems. arXiv:2604.13849 [cs.CR] https://arxiv.org/abs/2604.13849

  52. [52]

    Haoran Shi, Hongwei Yao, Shuo Shao, Shaopeng Jiao, Ziqi Peng, Zhan Qin, and Cong Wang. 2025. Quantifying Conversation Drift in MCP via Latent Polytope. arXiv:2508.06418 [cs.CL] https://arxiv.org/abs/2508.06418

  53. [53]

    Smithery. 2025. Smithery. https://smithery.ai. Accessed: 2025-12

  54. [54]

    Snyk. 2025. Agent-Scan: A Static Analysis Tool for Detecting Security Issues in MCP Servers. https://github.com/snyk/agent-scan. Accessed: 2025-12

  55. [55]

    Hao Song, Yiming Shen, Wenxuan Luo, Leixin Guo, Ting Chen, Jiashui Wang, Beibei Li, Xiaosong Zhang, and Jiachi Chen. 2025. Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol (MCP) Ecosystem. arXiv:2506.02040 [cs.CR] https://arxiv.org/abs/2506.02040

  56. [56]

    Merlin Stein. 2026. How are AI agents used? Evidence from 177,000 MCP tools. arXiv:2603.23802 [cs.CY] https://arxiv.org/abs/2603.23802

  57. [57]

    supercorp-ai. 2025. Supergateway. https://github.com/supercorp-ai/supergate way. GitHub repository

  58. [58]

    Tencent Zhuque Lab. 2025. AI-Infra-Guard: A Comprehensive, Intelligent, and Easy-to-Use AI Red Teaming Platform. GitHub repository. https://github.com /Tencent/AI-Infra-Guard 14 Rethinking MCP Security: A Large-Scale Study of Runtime MCP Servers and Security Scanner Reliability

  59. [59]

    Aditi Tiwari, Akshit Bhalla, and Darshan Prasad. 2025. Model Con- text Protocol for Vision Systems: Audit, Security, and Protocol Extensions. arXiv:2509.22814 [cs.CR] https://arxiv.org/abs/2509.22814

  60. [60]

    w 10-m. 2025. gsuite: An MCP Server for Google Workspace Integration. https: //github.com/w-10-m/gsuite

  61. [61]

    Zhiqiang Wang, Yichao Gao, Yanting Wang, Suyuan Liu, Haifeng Sun, Hao- ran Cheng, Guanquan Shi, Haohua Du, and Xiangyang Li. 2025. MCP- Tox: A Benchmark for Tool Poisoning Attack on Real-World MCP Servers. arXiv:2508.14925 [cs.CR] https://arxiv.org/abs/2508.14925

  62. [62]

    Zihan Wang, Rui Zhang, Yu Liu, Wenshu Fan, Wenbo Jiang, Qingchuan Zhao, Hongwei Li, and Guowen Xu. 2026. Mpma: Preference manipulation attack against model context protocol.Proceedings of the AAAI Conference on Artificial Intelligence40, 42 (2026), 35838–35846

  63. [63]

    Mengying Wu, Pei Chen, Geng Hong, Baichao An, Jinsong Chen, Binwang Wan, Xudong Pan, Jiarun Dai, and Min Yang. 2025. MCPZoo: A Large-Scale Dataset of Runnable Model Context Protocol Servers for AI Agent. arXiv:2512.15144 [cs.CR] https://arxiv.org/abs/2512.15144

  64. [64]

    Yixuan Yang, Daoyuan Wu, and Yufan Chen. 2025. MCPSecBench: A System- atic Security Benchmark and Playground for Testing Model Context Protocols. arXiv:2508.13220 [cs.CR] https://arxiv.org/abs/2508.13220

  65. [65]

    Zhonghao Zhan, Huichi Zhou, Zhenhao Li, Peiyuan Jing, Krinos Li, and Hamed Haddadi. 2026. How Adversarial Environments Mislead Agentic AI? arXiv:2604.18874 [cs.AI] https://arxiv.org/abs/2604.18874

  66. [66]

    Dongsen Zhang, Zekun Li, Xu Luo, Xuannan Liu, Peipei Li, and Wenjun Xu

  67. [67]

    arXiv:2510.15994 [cs.CR] https://arxiv.org/abs/2510.1 5994

    MCP Security Bench (MSB): Benchmarking Attacks Against Model Context Protocol in LLM Agents. arXiv:2510.15994 [cs.CR] https://arxiv.org/abs/2510.1 5994

  68. [68]

    MD5": The exact MD5 string provided in the in- put. •

    Shuli Zhao, Qinsheng Hou, Zihan Zhan, Yanhao Wang, Yuchong Xie, Yu Guo, Libo Chen, Shenghong Li, and Zhi Xue. 2026. Parasites in the Toolchain: A Large- Scale Analysis of Attacks on the MCP Ecosystem. arXiv:2509.06572 [cs.CR] https://arxiv.org/abs/2509.06572 A Ethical Considerations We structure our ethical considerations by linking a stakeholder- based a...