◀︎ // Home
Section 06 // MCP, the Shared Supply Chain
The Supply Chain Under Every Agent
Bottom line for leadership
MCP is an unmanaged software supply chain. 4,242 of 17,651+ tracked servers carry a known vulnerability, and 28.6% of their tools are dangerous by design.
Do this: govern MCP servers like third-party code, review, sign, and pin them before install.
MCP standardizes how any agent connects to any tool, which is why it scales fastest and carries the most concentrated risk. STAR Labs catalogs MCP servers continuously with static analysis, behavioral testing, and metadata inspection.
The MCP ecosystem today
17,651+
MCP servers tracked under continuous monitoring
130,667
tools cataloged across the ecosystem
4,242
servers carry at least one vulnerability
28.6%
of tools are dangerous on their face
Where the Dangerous Tools Cluster
Three Categories of MCP Risk
Risk 01
Semantic
The model reads tool descriptions, schemas, and outputs as instructions. Poisoned metadata becomes a command.
Risk 02
Local-server
Binary tampering, rug-pulls via auto-update, and dotfile access escalate a compromise to the host.
Risk 03
Remote-server
Missing authentication and network-boundary failures expose internal MCP infrastructure to external attackers.
Skills: the second shared supply chain
MCP standardizes how agents reach tools; Skills standardize the instructions they load. Packaged instruction files, popularized by Claude's Agent Skills and Vercel's open Skills ecosystem, are pulled from public marketplaces and loaded as trusted context, which makes a malicious Skill indirect prompt injection with a distribution channel. An independent Snyk audit of the Skills ecosystem found prompt-injection payloads in roughly a third of the packages it analyzed; Straiker's own analysis of one marketplace shows the same pattern.

Case study: ClawHub and Moltbook
Agent-to-agent supply chain
Malicious skills published on ClawHub (an agent extension marketplace) and promoted agent-to-agent on Moltbook (an agent social network) drained Solana wallets through plaintext key storage and attacker-controlled payment aggregators. About 5% of analyzed ClawHub skills were overtly malicious or grey-area dangerous. Agent marketplaces inherit the same supply-chain risk as npm and PyPI, with one new wrinkle: an autonomous agent now holds the credentials.

What defenders need to do
// 01
Break semantic risk
Treat tool descriptions, schemas, and outputs as untrusted input. Allowlist specific tools rather than auto-discovering from registries. Validate metadata against an expected shape.
// 02
Break local-server risk
Sign and pin MCP server binaries. Disable auto-update in production. Sandbox local servers with restricted filesystem, network, and env-var access.
// 03
Break remote-server risk
Require authentication on every connection, including localhost. Bind to localhost with strict Host-header validation to defeat DNS rebinding. Apply per-tool authorization.
The cross-cutting control
Treat MCP servers like third-party dependencies. Apply software composition analysis, track versions explicitly, and review every new server before install the way AppSec reviews a new npm package. The agentic supply chain inherits every lesson the open-source supply chain spent a decade learning.
Common Questions
Is MCP (Model Context Protocol) a security risk?
Yes. STAR Labs tracks 17,651+ MCP servers; 4,242 carry at least one known vulnerability (680 critical, 1,231 high) and 28.6% of 130,667 cataloged tools are dangerous on their face. MCP is effectively an unmanaged software supply chain shared across every agent type.
Where do dangerous MCP tools cluster?
Database Access (11,432 tools) and File System (10,319) together are 58% of all dangerous tools, followed by Network Access, Code Execution, and Shell Access. An agent connected to any of these inherits a credible path to data theft, credential exfiltration, or host compromise in a single session.
How should enterprises secure MCP servers?
Govern MCP servers like third-party dependencies: review, sign, and pin them before install, disable auto-update in production, sandbox local servers, require authentication on every connection including localhost, and allowlist specific tools instead of auto-discovering from registries. Apply software composition analysis as you would to any npm package.
Get the Full Report
Read everything here, free. Enter your email and we'll send the full PDF, including the complete defender playbook.






