We Scanned 4,275 MCP Servers. Most of Them Shouldn't Be Trusted.

The Model Context Protocol is the connective tissue of the AI agent ecosystem. It's how Claude, Cursor, VS Code Copilot, and hundreds of other AI tools connect to external services, databases, APIs, and local system resources. There are now over 16,000 MCP servers in the wild, and the number is growing by hundreds every week. We've spent the last several months scanning, analyzing, and probing MCP servers at scale. Our registry at CraftedTrust has indexed 4,275 servers and scored each one across 12 security categories aligned to the CoSAI threat taxonomy. What we found is concerning. The average trust score for statically analyzed npm packages is 54 out of 100 . That's an F. The problem is structural, not incidental MCP servers occupy a uniquely dangerous position in the software stack. A traditional API serves data to an application that a developer controls. An MCP server serves data and capabilities to an AI model that reasons about what to do next. The model decides which tools to