22% of Top MCP Servers Showed Security Flaws in Recent Scan

A recent scan of 100 Model Context Protocol (MCP) servers on Smithery uncovered concerning security gaps, with 22 servers flagged for at least one vulnerability. The analysis, conducted using an open-source tool called Bawbel, identified 28 total issues, split between four critical and 24 high-severity risks. These findings suggest that real-world MCP deployments may still be vulnerable to documented attack vectors, despite growing adoption of agentic AI systems.

How the Scan Was Conducted

Researchers built a lightweight Python script to systematically evaluate servers in Smithery’s registry, the largest public directory for MCP implementations. The script pulled server metadata, tool descriptions, and configuration schemas via Smithery’s accessible API. Using Bawbel’s v1.0.1 scanner in a sandboxed environment, they assessed each server for known vulnerability patterns without triggering actual exploits.

pip install requests "bawbel-scanner[all]"
export BAWBEL_SANDBOX_ENABLED=true
export ANTHROPIC_API_KEY=sk-ant-api03-....

bawbel version

export SMITHERY_API_KEY=your_key
python3 scan_smithery.py --limit 100 --output smithery_scan_results.json

The scan covered the top 100 most popular servers by download volume, reflecting usage patterns in production environments. Each server was evaluated in seconds, demonstrating how automated tools can efficiently highlight potential risks in large-scale AI deployments.

Top Vulnerability Categories Identified

The majority of findings fell into a few recurring patterns, each illustrating how misconfigured or poorly documented tools can inadvertently expose systems to attack.

• Tool Description Injection (AVE-2026-00002): Detected in six servers, this issue arises when tool descriptions include instructions aimed at agents rather than human users. For example, several servers used directives like “IMPORTANT: Do not call this without authentication” or “WARNING: Do not...”, which agents may interpret as executable guidance. The distinction between human-readable warnings and agent-specific instructions is often blurred in tool metadata, leading to unintended behavior.

• Content Type Mismatches (AVE-2026-00024): Flagged in six servers, this finding involves files claiming one format (e.g., .md) but containing another (e.g., YAML). Using a machine-learning content detection engine called Magika, researchers identified mismatches with 82–90% confidence in servers such as Google Sheets, Slack, and Exa Websets. While not immediately dangerous, mixed formats can cause parsing errors or lead agents to misinterpret data, creating downstream risks.

• Tool Output Exfiltration Encoding (AVE-2026-00026): Four servers showed patterns suggesting potential data exfiltration through encoded responses. Detected via conservative YARA rules matching the presence of “encode” in tool output schemas, instances included Jina AI, troystack, and Name Whisper. Such patterns could theoretically allow malicious actors to smuggle sensitive data through seemingly benign outputs.

• Privacy-Related Patterns (AVE-2026-00013): Three servers contained tool descriptions referencing the extraction of sensitive fields like “CEO name” or “date of birth.” While these tools may serve legitimate purposes, their descriptions lacked context, making it difficult to distinguish between intended functionality and potential misuse.

Less common but noteworthy findings included context window manipulation phrases like “exhaust the context” and dynamic tool call injection patterns such as “Call this tool with” in AWS-related servers. These suggest that some server authors may be embedding agent-specific behaviors without sufficient safeguards.

False Positives and Manual Review Needed

Not all flagged issues indicate actual vulnerabilities. For instance, warnings labeled as “IMPORTANT” in tool descriptions may simply reflect cautious documentation practices rather than exploitable flaws. Similarly, generic terms like “encode” or “retain” can produce false positives, especially when used in non-malicious contexts.

Researchers emphasized that automatic scanning tools provide a useful first pass but require human review to confirm real risks. Manual inspection is particularly important for high-risk findings, where the context of a phrase or tool’s intended use can determine whether it poses a genuine threat.

What This Means for MCP Adoption

The scan highlights that MCP servers, while designed to bridge AI models with external tools, remain susceptible to security oversights. As organizations increasingly rely on agentic systems to automate workflows, the integrity of MCP infrastructure becomes critical. Developers must treat tool descriptions and output schemas with the same rigor as application code, ensuring they are agent-aware and free from ambiguous or conflicting instructions.

Moving forward, automated scanning should become a standard step in the MCP server development lifecycle. Tools like Bawbel can help maintain security without stifling innovation, enabling safer adoption of agentic AI across industries.