Back to feed
Dev.to
Dev.to
6/25/2026
I Scanned 1,200 MCP Configs From GitHub. Here's What I Found.

I Scanned 1,200 MCP Configs From GitHub. Here's What I Found.

Short summary

A security audit of 1,200 real MCP configs found universal vulnerabilities—20.7% CRITICAL/HIGH severity, with zero response limits across all scans. Popular servers grant unrestricted shell and browser access with no approval gates. Pluto AgentGuard, a free open-source scanner, quantifies the MCP config layer as AI's true security boundary.

  • 100% of 1,200 scanned MCP configs had security gaps; 20.7% rated CRITICAL or HIGH severity
  • Popular servers (Context7, Chrome DevTools, Serena) enable shell execution and browser control with zero human-in-the-loop approval gates
  • Free open-source tool (Pluto AgentGuard) scans configs locally in 3 minutes, revealing auth gaps, hardcoded secrets, and context safety misconfigurations

Generated with AI, which can make mistakes.

Is this a good recommendation for you?

Explore more