The state of MCP security 2026
We audited all 1,993 MCP servers in the directory with our Trust Score engine (security heuristics plus AI review). Here is what we found, with open, reproducible data.
Key findings
Nearly half of all MCP servers (30%) carry at least one risk signal. The most common is not malicious code but abandonment: 18% have not received a commit in over six months, which in a protocol as young as MCP means unpatched endpoints and dependencies.
13% ship with no license at all. Without explicit usage terms, deploying one of these servers in a company setting is legally ambiguous even when the code itself is benign.
18 servers tell users to pipe a remote script straight into a shell (curl | bash). It is the highest-risk install pattern there is: it runs arbitrary code before you can review it. We recommend cloning and reading first.
Most common flags
- No license declared262
- Inactive (>180d)213
- Stale (last commit over a year ago)150
- No description84
- README contains suspicious pattern: eval\s*\(4
- Many open issues + slow updates1
- README contains suspicious pattern: https?:\/\/(?:bit\.ly|tinyurl|1
Safest (Trust 90+)
- rohitg00/ai-engineering-from-scratch10031.7k
- anthropics/claude-plugins-official10030k
- assafelovic/gpt-researcher10027.7k
- 78/xiaozhi-esp3210027.3k
- heygen-com/hyperframes10027.1k
- PrefectHQ/fastmcp10025.6k
- oraios/serena10025.3k
- chopratejas/headroom10024.9k
- flipped-aurora/gin-vue-admin10024.8k
- activepieces/activepieces10022.7k
- czlonkowski/n8n-mcp10021.7k
- 1Panel-dev/MaxKB10021.3k
Popular but flagged
Widely-used servers (50+ stars) with the lowest Trust Score. This does not imply malware: review the flags before installing.
Methodology and data
The Trust Score (0-100) combines heuristics (maintenance, fork ratio, license, owner, README patterns) with an AI review of each repository. The full scoring set is public and refreshes every 12 hours. Cite this report as “ClaudeWave, The State of MCP Security 2026 (claudewave.com)”.