◀︎ // Home

Section 06 // MCP, the Shared Supply Chain

The Supply Chain Under Every Agent

Bottom line for leadership

MCP is an unmanaged software supply chain. 4,242 of 17,651+ tracked servers carry a known vulnerability, and 28.6% of their tools are dangerous by design.

Do this:
govern MCP servers like third-party code, review, sign, and pin them before install.


MCP standardizes how any agent connects to any tool, which is why it scales fastest and carries the most concentrated risk. STAR Labs catalogs MCP servers continuously with static analysis, behavioral testing, and metadata inspection.

The MCP ecosystem today

17,651+

MCP servers tracked under continuous monitoring

130,667

tools cataloged across the ecosystem

4,242

servers carry at least one vulnerability

28.6%

of tools are dangerous on their face

Severity of the 4,242 vulnerable servers // 680 critical + 1,231 high = 1,911 (45%) at critical or high

Critical 680 // High 1,231 // Medium 2,223 // Low 108

Where the Dangerous Tools Cluster

Tool category Dangerous tool count Primary risk
Database Access11,432Direct read/write to structured data; PII and business-critical data
File System10,319Arbitrary file read/write; path to .env, SSH keys, cloud credentials
Network Access9,155Outbound connectivity for exfiltration and C2
Code Execution3,557Direct arbitrary code execution on the host
Shell Access2,913Full shell; highest-privilege category, broadest impact

Database and File System together are 58% of all dangerous tools. An agent connected to either inherits a credible path to structured-data theft or credential exfiltration in a single session.

By runtime stack — Python: 366 critical / 717 high // Node.js: 246 critical / 417 high. Python leads in critical (data-heavy servers); Node carries more high-severity (permissive npm publishing).

Three Categories of MCP Risk

Risk 01

Semantic

The model reads tool descriptions, schemas, and outputs as instructions. Poisoned metadata becomes a command.

Risk 02

Local-server

Binary tampering, rug-pulls via auto-update, and dotfile access escalate a compromise to the host.

Risk 03

Remote-server

Missing authentication and network-boundary failures expose internal MCP infrastructure to external attackers.

Skills: the second shared supply chain

MCP standardizes how agents reach tools; Skills standardize the instructions they load. Packaged instruction files, popularized by Claude's Agent Skills and Vercel's open Skills ecosystem, are pulled from public marketplaces and loaded as trusted context, which makes a malicious Skill indirect prompt injection with a distribution channel. An independent Snyk audit of the Skills ecosystem found prompt-injection payloads in roughly a third of the packages it analyzed; Straiker's own analysis of one marketplace shows the same pattern.

Case study: ClawHub and Moltbook

Agent-to-agent supply chain

Malicious skills published on ClawHub (an agent extension marketplace) and promoted agent-to-agent on Moltbook (an agent social network) drained Solana wallets through plaintext key storage and attacker-controlled payment aggregators. About 5% of analyzed ClawHub skills were overtly malicious or grey-area dangerous. Agent marketplaces inherit the same supply-chain risk as npm and PyPI, with one new wrinkle: an autonomous agent now holds the credentials.

What defenders need to do

// 01

Break semantic risk

Treat tool descriptions, schemas, and outputs as untrusted input. Allowlist specific tools rather than auto-discovering from registries. Validate metadata against an expected shape.

// 02

Break local-server risk

Sign and pin MCP server binaries. Disable auto-update in production. Sandbox local servers with restricted filesystem, network, and env-var access.

// 03

Break remote-server risk

Require authentication on every connection, including localhost. Bind to localhost with strict Host-header validation to defeat DNS rebinding. Apply per-tool authorization.

The cross-cutting control

Treat MCP servers like third-party dependencies. Apply software composition analysis, track versions explicitly, and review every new server before install the way AppSec reviews a new npm package. The agentic supply chain inherits every lesson the open-source supply chain spent a decade learning.

Common Questions

Is MCP (Model Context Protocol) a security risk?

Yes. STAR Labs tracks 17,651+ MCP servers; 4,242 carry at least one known vulnerability (680 critical, 1,231 high) and 28.6% of 130,667 cataloged tools are dangerous on their face. MCP is effectively an unmanaged software supply chain shared across every agent type.

Where do dangerous MCP tools cluster?

Database Access (11,432 tools) and File System (10,319) together are 58% of all dangerous tools, followed by Network Access, Code Execution, and Shell Access. An agent connected to any of these inherits a credible path to data theft, credential exfiltration, or host compromise in a single session.

How should enterprises secure MCP servers?

Govern MCP servers like third-party dependencies: review, sign, and pin them before install, disable auto-update in production, sandbox local servers, require authentication on every connection including localhost, and allowlist specific tools instead of auto-discovering from registries. Apply software composition analysis as you would to any npm package.

Get the Full Report

Read everything here, free. Enter your email and we'll send the full PDF, including the complete defender playbook.

The lure // curl separator

A developer copies a command from a pixel-perfect clone of the docs. The visible curl to claude.ai is a decoy; a shell separator hides the real payload. No installer to scan, no binary to inspect.