HackerTrans
トップ新着トレンドコメント過去質問紹介求人

mavzer

16 カルマ登録 2 年前
security engineer

投稿

The State of MCP Security [pdf]

canopii.dev
36 ポイント·投稿者 mavzer·昨日·4 コメント

Show HN: A Trust Index for MCP Servers

index.canopii.dev
1 ポイント·投稿者 mavzer·一昨日·0 コメント

コメント

mavzer
·20 時間前·議論
100%!! All AI tooling (MCPs, skills, models etc) has to go through the same scrutiny applied to any other web service. But as always, security is an afterthought that comes back to bite.
mavzer
·昨日·議論
Nice. Basically, I see 3 ways the MCP ecosystem converging

- Centralized, well trusted sources for MCP servers - Technical people like you creating their own, private MCPs for specific use cases - An MCP governance layer that brings a bit of sense into this new world

Otherwise, it’s a security time bomb. We already see MCP specific attacks out in the wild.
mavzer
·昨日·議論
https://index.canopii.dev

Part of my job is to approve / reject MCP servers based on how secure they are and whether they are suitable for use in an enterprise environment. I was tired of my team being called the bottleneck to AI adoption, so I set out to automate the whole process.

I periodically collect the MCP servers and every new version from the Official MCP registry and assign them a score based on 29 distinct criteria like runtime guardrails (e.g. destructive tools, over broad permissions, rug pulls), SAST scans and transport & trust model.

As a result of this exercise, I found that 1 in every 10 MCP servers is pretty much unusable (score 40/100 or below). 18% of the popular MCP servers with 1000+ GitHub stars contain one or more security issues. 184 servers to date have changed their tool definitions after publication, which may indicate a "rug pull" attack.

I built this for security minded people who also want to be at the forefront of AI adoption and for security teams who are tired to be called the bottleneck.

Browsing the index is completely free, you only have to request an API key if you want automated, programmatic lookups for any workflow.

Feedback is always welcome!