MCP Observatory
security

Security

Every MCP risk signal in one place — CVEs, tool safety, drift, naming, licenses. Heuristic: review signals, not verdicts.

MCP-native tool-safety findings (tool poisoning, exfiltration combos, name shadowing, benign-dangerous tools, unconstrained schemas) from pure heuristics, newest-detected first; switch to the severity worklist to triage by impact — every row is a review signal with its evidence, never a verdict.

sort recent severity
  • exfiltration combo 862H 1162L
  • dangerous code 1191H
  • tool shadowing 233H 60M
  • purpose mismatch 281M
  • toxic flow (lethal trifecta) 186H
  • tool poisoning 22H 15M
  • hidden prompt content 36H
  • loose schema 16M
  • cross-server steering 2M
  1. HIGH dangerous code @kubb/plugin-mcp dynamic exec: new Function()
  2. HIGH dangerous code @blamejs/exceptd-skills env-secret-flows-to-network-js: A process environment value (often a secret/token) flows into a network call — possible credential exfiltration. (/tmp/obs-code-xd6Y6S/package/orche
  3. HIGH dangerous code @wcag-checkr/mcp env-secret-flows-to-network-js: A process environment value (often a secret/token) flows into a network call — possible credential exfiltration. (/tmp/obs-code-xvyQFR/package/wcagc
  4. HIGH dangerous code @adcp/sdk env-secret-flows-to-network-js: A process environment value (often a secret/token) flows into a network call — possible credential exfiltration. (/tmp/obs-code-cgaE83/package/examp
  5. HIGH exfiltration combo obsidian-mcp-server · omnisearch single tool reads + sends: fs, net
  6. HIGH dangerous code @askexenow/exe-os committed secret: committed .env
  7. HIGH dangerous code gm-codex dynamic exec: eval()
  8. LOW exfiltration combo aidevops sensitive read and network capabilities split across this server's tools
  9. LOW exfiltration combo nano-brain · memory_query single tool reads + sends: net, db
  10. HIGH dangerous code @benborla29/mcp-server-mysql committed secret: committed .env
  11. HIGH tool shadowing kubernetes-mcp-server · command tool "command" shadows a verified server's tool shadows Digital-Defiance/mcp-debugger-server
  12. HIGH exfiltration combo kubernetes-mcp-server · nodes_stats_summary single tool reads + sends: fs, net
  13. HIGH exfiltration combo kubernetes-mcp-server · query single tool reads + sends: fs, net, db
  14. HIGH dangerous code poke credential logged in 1 file(s)
  15. HIGH dangerous code hostinger-api-mcp env-secret-flows-to-network-js: A process environment value (often a secret/token) flows into a network call — possible credential exfiltration. (/tmp/obs-code-z5uY7S/package/src/c
  16. HIGH dangerous code @modelcontextprotocol/client dynamic exec: new Function()
  17. HIGH dangerous code @neriros/ralphy dynamic exec: new Function()
  18. HIGH dangerous code xmcp dynamic exec: new Function()
  19. HIGH tool shadowing mcp-searxng · url tool "url" shadows a verified server's tool shadows burtthecoder/mcp-virustotal
  20. LOW exfiltration combo mcp-searxng · query single tool reads + sends: net, db
  21. HIGH dangerous code task-master-ai credential logged in 1 file(s)
  22. HIGH dangerous code claude-mem suspicious bundled script in 1 file(s)
  23. LOW exfiltration combo context-mode · ctx_search single tool reads + sends: net, db
  24. HIGH dangerous code @bike4mind/cli credential logged in 1 file(s)
  25. LOW exfiltration combo extract-design-system sensitive read and network capabilities split across this server's tools