MCP Observatory
scanner changelog

Static Analyzer Version History

What each version of the scanner can detect, and when it changed. Every time the scanner improves, the whole catalogue is re-checked with the new version, so older servers benefit too without waiting for a new release.

current version v17
updated Jun 13, 2026
released 15 versions

The analyzer reads each server's published source without ever running it. How those findings feed capabilities and risk is explained on the methodology page, and live analysis coverage is on the feeds page.

  1. v17

    Fewer false alarms for logged secrets

    The analyzer warns when code looks like it writes a secret into a log, where it could leak. This release stops most of the mistaken warnings. It now considers only what is actually being logged, and it understands the common harmless cases, such as recording whether a key is present rather than the key itself, or printing a masked or shortened version.

  2. v16

    Smarter .env and private-key checks

    Two checks for committed secrets were firing too easily. An .env file is now flagged only when it actually holds real values, because an example file full of blanks or placeholders gives nothing away. A private-key warning now requires a complete key to be present, not just a line that mentions one, which security tools and tests routinely include on purpose.

  3. v15

    Allowing a server's own service

    Many servers exist to talk to one particular service, so a Telegram bot contacting Telegram, or a Discord bot posting to Discord, is simply doing its job. The analyzer now recognises when a built-in address matches what the server is for, and no longer treats it as suspicious.

  4. v14

    Fewer false alarms after a full review

    A broad review of earlier findings removed several recurring false alarms. The analyzer now ignores code that merely ships inside a project but was written by others, such as bundled dependencies and test fixtures, and it does a better job of telling a genuinely risky pattern apart from ordinary code that happens to resemble one.

  5. v13

    Ignoring keys that are meant to be there

    Stopped reporting keys that appear where they are expected and harmless, such as documentation, example files, and the rule files that other security scanners ship. It also stopped treating a public Firebase web key as a secret, since that kind of key is designed to be shared.

  6. v12

    First big noise cleanup

    The first major pass at reducing noise. The analyzer began skipping machine-generated and bundled code, ignoring well-known example and placeholder keys, and reporting risky shell or eval patterns only when they genuinely do something dangerous rather than something routine.

  7. v11

    Looking inside bundled archives

    Some packages ship a zip or editor-extension archive inside them. The analyzer now opens those archives and examines what they contain, so anything tucked away in a bundled file gets the same scrutiny as the rest of the source.

  8. v10

    Tracking untrusted input

    Added a new dimension to how a server's permissions are described: whether it takes in untrusted input. This lets the analyzer recognise the dangerous combination of reading untrusted data, holding secrets, and reaching the network, which is the classic recipe for data theft.

  9. v9

    Scanning bundled editor extensions

    Detects editor-extension files, such as VS Code manifests and recommended-extension lists, that are bundled into a package, so their behaviour is reviewed rather than overlooked.

  10. v8

    Reading the listing text for hidden instructions

    An assistant often reads a project's README or description before using it, which makes that text a place to hide instructions aimed at the assistant. This release scans the listing text for those hidden prompts.

  11. v7

    Flagging risky bundled scripts

    Flags an executable script bundled alongside a skill when it does something risky, such as downloading and running code from the internet, since an assistant could be instructed to run it.

  12. v6

    Logged secrets and broad permissions

    Added two checks: one for code that writes a secret into a log, and one for requests for unusually broad access, such as full account or full drive permissions.

  13. v5

    Spotting data exfiltration in skills

    Flags a skill whose instructions both reference a secret and point to somewhere data could be sent, the pattern behind skills designed to quietly leak information.

  14. v4

    Smarter call-home detection

    Improved the check for code that contacts an outside address. It now ignores local and private addresses that cannot reach the wider internet, and pays special attention to cloud metadata addresses, a known target for credential theft. It also stopped scanning test and example files, which are full of harmless sample addresses.

  15. v1 to v3

    Foundational analyzers

    The first versions of the scanner. They read a server's published source to work out what it can do (touch the filesystem, run shell commands, reach the network, use secrets or databases), list its tools and dependencies, work out how it communicates, and raise the first danger signals, including committed secrets, dynamically executed code, and suspicious outbound addresses.