PulseMCP Security Report
Security analysis of 8,621 MCP servers listed on PulseMCP, with GitHub README scanning for code-level findings.
8,621
Total skills
1
Findings
0%
Skills with findings
100
Avg score
Overview
PulseMCP is a directory of MCP (Model Context Protocol) servers, listing 8,621 entries discovered through its public API. Unlike skill-focused registries, PulseMCP indexes servers that expose capabilities to AI agents over the MCP protocol. Each listing includes metadata and, when available, links to the server's GitHub repository. This GitHub connection is what makes PulseMCP valuable for security analysis: we can download the actual README files and sometimes source code documentation.
The content density on PulseMCP falls between the full SKILL.md archives of ClawHub and the metadata-only listings of mcp.so. When a GitHub repository is linked, the README often contains installation instructions, configuration examples, environment variable references, and code snippets. These are exactly the elements that carry security-relevant information. When there is no GitHub link, we work with the API metadata alone, which limits what the scanner can detect.
How we scan PulseMCP
Aguara discovers MCP servers through PulseMCP's API, which returns structured metadata for each listing. For entries that include a GitHub repository URL, we download the README.md file directly via the GitHub raw content API. This gives us the most informative content available without cloning entire repositories.
The crawl runs incrementally every 12 hours, tracking both API metadata changes and README content hashes. When a server's README changes, we rescan it with the full rule engine. The NLP analyzers are particularly useful for PulseMCP content because READMEs mix instructional text with code blocks, and distinguishing between documentation meant for humans and instructions that might influence an agent requires semantic understanding.
Key findings
PulseMCP's findings cluster around two categories: credential exposure in configuration examples and overly permissive capability declarations. README files frequently contain example .env configurations with placeholder tokens that follow real credential formats. While these are intended as documentation, an agent processing the README could treat them as actual credentials to use.
The more concerning pattern involves MCP servers that declare broad capability sets without clear boundaries. An MCP server listing that claims filesystem access, network access, and shell execution is declaring itself as a potential vector for complete system compromise. PulseMCP does not enforce any capability restrictions, so servers self-declare whatever they want. Aguara flags servers that claim capabilities disproportionate to their stated purpose.
We also find prompt injection patterns in README content. Developers sometimes include example prompts or conversation snippets in their documentation, and these can contain text that an agent might interpret as instructions. This is an underappreciated risk: README content processed by an agent is just as dangerous as a skill definition.
Recommendations
When evaluating MCP servers from PulseMCP, look at the GitHub repository directly. The Aguara Watch grade tells you about the README content, but the full repository gives you the source code. A server with a clean README but questionable source code is still a risk. Use the grade as a starting point, not a final verdict.
Pay attention to capability declarations. If an MCP server claims it needs filesystem and network access to perform a simple task (like formatting text or generating summaries), that mismatch is a red flag. Legitimate servers declare the minimum capabilities they need. Overly broad declarations suggest either careless development or deliberate overreach.
For your agent configuration, apply the principle of least privilege. Even if PulseMCP lists a server with a good Aguara grade, restrict the capabilities you grant to that server on your end. The grade reflects what the scanner found in the content, but runtime behavior can differ from documentation.
Grade distribution
Want to scan a specific PulseMCP skill?
Scan now (free, runs in your browser)