Introduction
As the Model Context Protocol (MCP) ecosystem expands, the community has seen an explosion in open-source MCP servers providing connectivity to various databases, APIs, and file systems. This empirical study, "MCP Server Security at Scale" (arXiv:2506.13538), analyzes a dataset of 1,899 public MCP servers to assess baseline security postures and the prevalence of common vulnerabilities.
Security Posture Analysis
The study systematically evaluated MCP servers against a matrix of known vulnerability classes, focusing on those uniquely applicable to agentic architectures. The key findings across the 1,899 servers were alarming:
- 7.2% contained general, exploitable vulnerabilities (e.g., path traversal, command injection, insecure deserialization).
- 5.5% exhibited evidence of deliberate tool poisoning or unintentional context leakage where sensitive infrastructure data could be inadvertently exfiltrated by an interacting LLM.
- 84% implemented no form of access control beyond the client connecting to the socket, assuming the client (and by extension the user prompt) was implicitly trustworthy.
Vulnerability Patterns
The most prevalent vulnerability pattern identified was unbounded data access. Many MCP servers, particularly those interacting with local file systems or enterprise databases, exposed their entire accessible context window to any querying agent without granular policy restrictions.
The Need for Formal Contracts
The authors conclude that reliance on bespoke, implementation-specific MCP server logic is inherently insecure at scale. The study recommends the adoption of standardized, machine-readable contracts that define explicit capability boundaries before an MCP connection is established.
This recommendation strongly supports the necessity of the Open Standard Agents (OSSA) manifest, which embeds capability restrictions and compliance assertions at the structural layer, enabling pre-execution trust evaluation and mitigating the risks associated with inherently insecure transport links.