We Built an MCP Security Scanner — Here's What We Found Scanning 50+ Servers

Last month we scanned 50+ open-source MCP servers on GitHub. The results were worse than we expected: 72% had at least one critical or high-severity vulnerability 38% contained hardcoded API keys or secrets 54% used subprocess with shell=True or called os.system() directly with user input Over 60% of tool functions had zero input validation </