The Model Context Protocol (MCP) is rapidly becoming the standard for connecting AI agents to external tools. With 11,500+ public MCP servers and growing, it powers everything from code assistants to autonomous agents handling sensitive business data.
But how secure are these servers? We analyzed the findings from multiple independent security studies covering 1,899 MCP servers to answer that question. The results are concerning.
Half of all vulnerable servers exposed credentials in some form — hardcoded API keys, tokens in tool descriptions, or secrets in configuration files.
Tool descriptions contained hidden instructions that could manipulate the AI agent's behavior. This includes invisible Unicode characters, Base64-encoded payloads, and behavioral overrides.
A separate scan of 50+ public MCP servers found that 23% contained some form of command injection vulnerability, allowing arbitrary code execution through crafted inputs.
A Knostic study found 1,862 MCP servers publicly accessible via Shodan. Of 119 tested, none required authentication. Attackers have been actively scanning since November 2025.
MCP servers are unique attack surfaces because they sit between the AI model and the real world. A compromised MCP server doesn't just leak data — it can:
Hijack Agent Behavior — Tool poisoning injects instructions that the AI follows without question
Exfiltrate Data — Malicious tool descriptions can instruct agents to send conversation data to external endpoints
Execute Code — Command injection in MCP servers gives attackers shell access on your infrastructure
Spread Laterally — In multi-agent systems, one compromised tool can poison the entire agent network
The market has responded. As of March 2026, there are 20+ MCP security scanning tools:
| Scanner | Approach | Languages | EU AI Act |
|---|---|---|---|
| Snyk Agent-Scan | Supply chain analysis | 1 | No |
| Invariant MCP-Scan | Tool pinning | 1 | No |
| Cisco MCP Scanner | Malicious code detection | 1 | No |
| Enkrypt AI | Agentic static analysis | 1 | No |
| ClawGuard Shield | Runtime + compliance | 15 | Yes |
Most scanners focus on English-only patterns and static analysis. But prompt injection attacks happen in every language, and compliance requirements (EU AI Act, August 2026 deadline) demand audit trails that most tools don't provide.
Never connect an MCP server to your agent without scanning its tool descriptions first. Tool poisoning attacks hide in the metadata that your AI reads before executing any tool.
from clawguard import scan_text
# Scan every tool description before registering
for tool in mcp_server.list_tools():
report = scan_text(tool.description)
if report.total_findings > 0:
print(f"BLOCKED: {tool.name} has {report.total_findings} findings")MCP servers can change their tool descriptions after you've connected. Scan periodically, not just at registration time.
Don't give your agent access to every MCP server in your config. Each server is an attack surface. Only connect what you need.
Attackers use non-English injection payloads to bypass English-only scanners. Your scanner needs to detect attacks in the same languages your users speak.
Under the EU AI Act (effective August 2, 2026), AI systems must demonstrate risk management measures. Document every scan, every finding, every remediation.
Scan your MCP infrastructure now
ClawGuard Shield detects 223 attack patterns across 15 languages with F1=99.0%. Free scanner, no account needed.