MCP Security Checklist: 22 Things to Verify Before Installing Any MCP Server

MCP Security Checklist: 22 Things to Verify Before Installing Any MCP Server Installing an MCP server grants it access to your file system, environment variables, and Claude Code session. Most developers skip the audit entirely. This checklist covers every check worth running — grouped by category, ordered by severity. Category 1: Source Code Availability [ ] Source code is publicly accessible (GitHub, GitLab, etc.) [ ] npm/pip package contents match the repo — download the package and diff it against source [ ] No minified or obfuscated code in the distributed version [ ] Recent commits — abandoned repos don't get security patches # Download npm package contents and inspect npm pack @some-org/mcp-server --dry-run tar -xzf some-org-mcp-server-1.0.0.tgz ls -la package/ Category 2: Network Activity [ ] All outbound requests are user-triggered — no background HTTP calls on startup or timer [ ] External URLs are user-provided — server shouldn't have hardcoded endpoints that receive data [