mcp.so Security Report
Security analysis of 9,145 MCP servers on mcp.so, a metadata-focused discovery platform with lower scan depth.
9,145
Total skills
1,558
Findings
10%
Skills with findings
99.4
Avg score
Overview
mcp.so is the second-largest registry by skill count that Aguara monitors, listing 9,145 MCP servers. It functions as a discovery platform where users can browse and find MCP servers by category and functionality. The key difference between mcp.so and other registries is content depth: mcp.so primarily exposes HTML descriptions scraped from listing pages, not full skill definitions or README files. This means less material for security scanners to analyze per entry.
This lower information density is both a limitation and a characteristic worth understanding. Fewer findings per skill does not mean mcp.so is safer. It means we have less visibility into what each server actually does. A short HTML description that says "File management MCP server" tells the scanner almost nothing about the security posture of the actual server. The absence of findings is not the same as the absence of risk.
How we scan mcp.so
Aguara crawls mcp.so by scraping its listing pages and extracting server descriptions from the HTML content. This is the most constrained crawl method we use, because the content available is limited to what mcp.so chooses to display on each listing page. There are no downloadable archives, no linked READMEs by default, and no structured API that exposes detailed server metadata.
The incremental crawl still runs every 12 hours, comparing content hashes to detect changes. When listings are updated, we rescan the extracted content. However, the rule engine operates on less input here than for other registries. Pattern matching still catches obvious issues (hardcoded credentials in descriptions, explicit injection patterns), but the NLP analyzers and taint tracker have limited material to work with.
Key findings
The finding rate on mcp.so is the lowest among the five primary registries, which reflects the content limitation rather than superior security. When findings do appear, they tend to be blunt: hardcoded API keys or tokens visible in listing descriptions, or explicit permission requests that the description format cannot obscure. There is no room for subtle attacks in a two-paragraph HTML description.
The most useful signal from mcp.so scanning comes from cross-referencing. Many MCP servers listed on mcp.so also appear on PulseMCP or other registries with richer content. When Aguara finds issues in the detailed listing elsewhere, that informs the risk assessment of the mcp.so entry too. The static dashboard surfaces these cross-registry connections.
We do find occasional prompt injection patterns in mcp.so descriptions, typically in longer listings where developers include usage examples or system prompt fragments. These are less sophisticated than what we see in full SKILL.md files, but they still represent real risk if an agent processes the description text directly.
Recommendations
Do not treat a clean mcp.so listing as a security endorsement. The platform simply does not expose enough information for comprehensive scanning. If you find a server on mcp.so that you want to use, look for it on PulseMCP or check its GitHub repository directly. More content means better analysis.
When mcp.so is your only source of information about a server, apply maximum caution. Grant minimum capabilities, sandbox the server's access, and monitor its behavior after connection. You are operating with less pre-connection intelligence than you would get from registries with richer content.
For mcp.so as a platform, exposing more structured data per listing would improve the ecosystem's security posture. Even linking to GitHub repositories (as PulseMCP does) would let scanners like Aguara provide meaningful grades. The current format optimizes for discovery at the expense of informed decision-making.
Grade distribution
Want to scan a specific mcp.so skill?
Scan now (free, runs in your browser)