Manifold catalogs 7,700 MCP servers for agent auditing

Until recently, no one knew exactly how many MCP servers existed or what they did. Manifold has just provided a partial answer: 7,700 servers indexed, scanned and classified within its Manifest expansion, according to SiliconANGLE. The announcement was published on May 12, 2026, and addresses a gap that security teams have been flagging for months: when an agent can invoke external tools in real time, knowing which tools exist and what permissions they expose is no longer an academic exercise.

The Model Context Protocol is by now the standard that Anthropic has established for LLMs—Claude foremost, but also third-party models that have adopted the specification—to call external services in a structured way. Each MCP server is essentially an adapter that translates API or tool capabilities into the language the model understands. The more servers proliferate, the greater the potential attack surface any agentic deployment accumulates.

What Manifest does exactly

Manifold is not a typical MCP server marketplace. Its bet with Manifest is to build an inventory with security metadata: what permissions each server requests, what dependencies it carries, whether it is actively maintained, whether it has reported known vulnerabilities. The stated goal is to enable security teams—not just developers—to evaluate risk before authorizing an MCP server in their agentic environment.

The figure of 7,700 indexed servers has merit on its own: until now, the most complete public registries contained only a few hundred hand-curated entries. Scaling by three orders of magnitude indicates that Manifold has automated the tracking, likely combining scraping of public repositories (GitHub, npm, package registries) with static analysis of exposed code.

Why it matters now

The timing is not accidental. Since Claude Code incorporated native support for MCP servers configurable via `claude_desktop_config.json` and the CLI itself, the number of integrations deployed in production environments has grown steadily. Many organizations are using subagents that, in turn, invoke MCP servers to access databases, third-party APIs, or internal systems. The problem is that most of those servers are installed with an implicit trust that is rarely audited.

The most documented attack vectors in this context include prompt injection through malicious MCP responses and privilege escalation when a server exposes more tools than the agent should be able to use. Having a centralized inventory with risk signals does not eliminate these problems, but it at least makes possible a data-driven allowlist policy.

Who finds this useful

The most obvious audience is the security team of any company that has deployed Claude Code-based agents or proprietary MCP protocol implementations. It is also relevant for:

• MCP server developers who want their work to be auditable and appear as a trusted option in corporate evaluations.
• Platform teams that manage policies for permitted tools in production environments.
• Auditors and consultants who need a baseline to evaluate a client's agentic perimeter.

What Manifold does not solve—yet—is dynamic validation: knowing that a server was safe at the time of indexing does not guarantee it remains secure next week. The software supply chain has had this problem for decades, and MCP servers are not immune.

---

That someone has built a directory at this scale is a signal that the MCP ecosystem has matured enough to attract investment in trust infrastructure, not just new integrations. If Manifold can make security data as queryable as npm audit, it will have addressed a genuine need. Reasonable skepticism is that maintaining 7,700 entries is considerable ongoing work, and the catalog's utility will depend entirely on its freshness.