MCP security
MCP is becoming the default integration layer between AI clients and tools, and it ships with structural gaps every deployment inherits: no input validation story, no audit requirement, no rate limiting, auth left to the server author. Rather than repeat the ecosystem's warnings, we scanned it — 8,216 MCP servers classified by auth appropriateness, 7,522 agent skills statically analyzed for credential leaks and injection patterns — and wrote up each risk class with what actually mitigates it.
The six structural risks are collected in the MCP Security series; the checklist post below is the practical starting point. For the layer that closes most of these by construction, see what an MCP control plane is.
Posts on MCP security
-
The MCP Security Checklist for Enterprise Teams
A 10-point security checklist for teams deploying MCP servers in production. Covers identity, auth, PII, rate limits, audit trails, and more.
-
8,216 MCP Servers, 7,840 Tools, Zero Input Validation
Analysis of 8,216 MCP servers: 2,432 expose high-risk inputs — SQL, file paths, shell commands — with zero validation constraints in the tool schema.
-
4 Security Vulnerabilities Hiding in Your MCP Server's Tool Schema
Real CVEs trace back to unconstrained tool schemas. From 8,216 MCP servers: the JSON patterns behind path traversal, SSRF, injection, and how to fix each.
-
Can You Prove What Your AI Agent Did? I Checked 8,216 MCP Servers.
74.9% of MCP servers have no mention of audit logging. The MCP spec defines zero audit primitives. Here's why that's a compliance problem.
-
MCP Servers Proxy Paid APIs With No Rate Limits. I Calculated the Blast Radius.
180 MCP servers proxy calls to paid APIs like OpenAI and Stripe. 85% document no rate limits. An agent retry loop can cost $1,080/hour.
-
I Classified 8,000+ MCP Servers by Auth Appropriateness. Most Get It Wrong.
A static analysis of 8,216 MCP servers across 4 registries. 50.6% have no auth. But the real question is: do they have the right auth for what they do?
-
MCP Gateway Comparison (2026): Composio vs ACP vs DIY
An honest comparison of MCP gateway options. When to use ACP Cloud, Composio, or build your own with open-source tools.
-
I Audited 7,522 AI Agent Skills. Here's What I Found.
A first-hand static analysis of every skill on ClawHub — the real numbers on credential leaks, prompt injection, and what registry moderation actually catches.
-
MCP Moves the Tool Calls. Nothing in It Decides What's Allowed.
MCP defines how agents call tools. It doesn't say who may call what, with which permissions, or leave an audit trail. What the protocol covers — and the allow/deny layer you still have to add yourself.
-
What Is an MCP Control Plane?
An MCP control plane adds identity verification, policy enforcement, and audit logging to Model Context Protocol servers — the missing governance layer.
-
How to Rate-Limit an MCP Server (Per-User, Per-Tool, Per-Agent)
MCP servers are rate-limit-blind — they see the LLM runtime's service account, not the user. How to add per-user, per-tool, per-agent limits in MCP.
-
MCP Re-Auth: What ChatGPT Actually Needs When Tokens Expire
ChatGPT won't re-trigger OAuth on HTTP 401 or JSON-RPC errors — it needs a JSON-RPC success envelope with _meta. The signal, and how a gateway emits it.
Related: tool permissions & policy · the MCP Security series · all posts