Blog/

The State of MCP Security in 2026

SpiderShield Team··5 min read
ReportEcosystemSecurity

Scanning the ecosystem

We've scanned hundreds of MCP servers from GitHub, npm, and community submissions. Here's what we found.

Grade distribution

The MCP ecosystem follows a familiar bell curve, but with a worrying tail:

  • Grade A (8.0+) — ~15% of servers. These are well-maintained projects with clear descriptions and no security findings.
  • Grade B (6.0-7.9) — ~35% of servers. Solid but with room for improvement in descriptions or minor security findings.
  • Grade C (4.0-5.9) — ~30% of servers. Average quality, often missing description clarity or having moderate security concerns.
  • Grade D (2.0-3.9) — ~15% of servers. Significant issues that need attention.
  • Grade F (below 2.0) — ~5% of servers. Critical security issues or missing source code.

Most common issues

The top 5 security findings across all scanned servers:

  1. Missing side-effect disclosure (72%) — Tools that modify data without stating it in the description
  2. Overly broad permissions (58%) — Tools requesting more access than needed
  3. Missing input validation (45%) — No sanitization of user-provided parameters
  4. Unclear operational boundaries (41%) — No guidance on when NOT to use the tool
  5. Missing authentication (23%) — Tools that access external services without auth configuration

The description quality gap

Perhaps the most striking finding: the average description quality score is just 4.2/10. Most MCP servers focus on making tools work, but not on making them understandable.

This matters because AI agents rely entirely on tool descriptions to decide what to use and when. A vague description like "Manages files" gives an agent almost no information about scope, risk, or side effects.

What makes a great MCP server?

Looking at the top-rated servers, patterns emerge:

  • Specific descriptions — "Reads a file from the local filesystem at the given path" vs "File operations"
  • Explicit side effects — "Creates or overwrites the file at the given path" vs "Writes a file"
  • Operational boundaries — "Only reads files within the configured workspace directory" vs no mention of scope
  • Error documentation — What happens when things go wrong

Recommendations

For MCP server maintainers:

  1. Audit your tool descriptions — Run teeshield scan on your own server
  2. Disclose side effects — Every tool that modifies state should say so
  3. Define boundaries — Tell agents what your tools can't or shouldn't do
  4. Pin your dependencies — Protect against supply chain attacks
  5. Submit for rating — Get a public SpiderRating and show users your commitment to quality

The MCP ecosystem is young. The decisions we make now about security standards will shape the future of AI tool use. SpiderRating aims to raise the bar for everyone.

← Back to Blog