blog / state-of-mcp-security
Data report · Trust

We Ran a Live Handshake Against 995 MCP Servers. Only 39 Are Verified.

Thousands of MCP servers exist, and every one hands an AI agent real tools — often ones that can act on your accounts. Most are abandoned, unsafe, or faked. So we connected to all 995 in our index, extracted each one's real tool surface, and scored its trust. Here's the funnel from 995 down to the handful you'd actually trust — and why that funnel is the whole point of MCPExplorer.

995 servers → 277 are even alive

The first cut is brutal. Of 995 indexed servers, only 277 (28%) answered a live MCP tools/list handshake at all. The other 72% are a README and a promise — nobody has connected and confirmed what they actually expose. You can't call a server safe when you can't even see what it does.

Alive isn't safe: most act on your behalf

Being reachable isn't the same as being trustworthy. Of the servers whose tools we could read, 59% expose at least one write or destructive tool — an action that changes data, sends a message, or deletes something — and 67 ship an outright destructive tool. Across 3,565 extracted tools: 41% read-only, 26% write, 6% destructive, and 26% we couldn't classify (treat as write until proven otherwise).

995 → 39: what “Verified” actually costs

Now strip out everything you shouldn't bet an agent on:

  • 467 have unknown provenance — we can't tell who really ships them.
  • 113 are unmaintained — no commit in over a year.
  • 175 land in “needs caution” on trust.

When the dust settles, exactly 39 servers — under 4% of the ecosystem — clear the bar we call MCPExplorer Verified: they passed a live handshake, every tool is extracted and risk-labeled, and they score 60+ on an explainable trust model (provenance, verification, maintenance, adoption). Not “has a nice README.” Connected, checked, and stood behind.

This is the whole point

Every other directory hands you all 995 and wishes you luck — a search box over a pile of strangers' repos, most of which are dead or dangerous. That's not a trust layer; it's a longer list. MCPExplorer's job is the funnel: we run the handshake, extract and label the tools, score the trust, and put a Verified badge only on the servers that earn it — so you wire up real capabilities in minutes instead of betting your agent on a stranger's repo. The 995 → 39 cut is the product.

How we measured

No guesswork. Every server gets a real MCP tools/list handshake — remote servers over the network, local/stdio in a hardened sandbox (no secrets, no host mounts, memory/CPU/PID limits) — its true tool surface captured, every tool labeled read / write / destructive, and its trust computed from named, signed factors you can inspect. Check any server yourself: Is Apex safe? · GitHub · Context7.


Skip the pile. Start from Verified.

MCPExplorer connects to every server, extracts and risk-labels its tools, and scores its trust — so you install from the handful that earn Verified, not the 995 that don't.