CuratedMCP
Research · 2026

69% of the most popular MCP servers ask you to paste a secret in plaintext

We applied the open-source CuratedMCP Auditor risk model to 29 of the most widely-used MCP servers. Any developer can add them to Claude Code, Cursor, Windsurf or Copilot in under 30 seconds — with no review, audit, or allowlist. That is the shadow-MCP problem, stated as a fact.

Published by CuratedMCP · Reproducible from each server's own install docs

Scan your own machineSee the findings
69%
ask you to paste a long-lived credential in plaintext (20 of 29)
34%
published by individual / community accounts, not the vendor (10 of 29)
23
of 29 carry a HIGH or MEDIUM risk flag — only 3 are clean
This is not a claim that any server is malicious. Most are legitimate and useful. It measures the exposure surface a team accepts by default when developers self-serve MCP servers across multiple AI clients with no central allowlist or audit log. The same secrets sit in plaintext config files across every engineer's laptop, and no one can see which tools are installed where. MCP is becoming the new npm — and the same supply-chain problems are coming.

Per-server breakdown

Flags mirror the local CuratedMCP Auditor: credentials in env or args, filesystem access, and publisher provenance. Sorted by risk.

ServerPublisherRiskFlags
Exa SearchcommunityHIGHCredential in env, Unverified publisher
PerplexitycommunityHIGHCredential in env, Unverified publisher
FirecrawlcommunityHIGHCredential in env, Unverified publisher
ApifycommunityHIGHCredential in env, Unverified publisher
MongoDBcommunityHIGHCredential in env, Unverified publisher
AWS (community)communityHIGHCredential in env, Unverified publisher
ObsidiancommunityHIGHFilesystem access, Unverified publisher
FilesystemofficialMEDIUMFilesystem access
GitHubofficialMEDIUMCredential in env
GitLabofficialMEDIUMCredential in env
Google DriveofficialMEDIUMCredential in env
SlackofficialMEDIUMCredential in env
PostgresofficialMEDIUMCredential in args
Google MapsofficialMEDIUMCredential in env
Brave SearchofficialMEDIUMCredential in env
SqliteofficialMEDIUMFilesystem access
SentryofficialMEDIUMCredential in args
StripevendorMEDIUMCredential in env
CloudflarevendorMEDIUMCredential in env
SupabasevendorMEDIUMCredential in env
NotionvendorMEDIUMCredential in env
LinearvendorMEDIUMCredential in env
AtlassianvendorMEDIUMCredential in env
Desktop CommandercommunityLOWUnverified publisher
Shell / iTermcommunityLOWUnverified publisher
DockercommunityLOWUnverified publisher
PuppeteerofficialVERIFIED
MemoryofficialVERIFIED
FetchofficialVERIFIED

Methodology: each row reflects the install configuration the server's own README tells you to paste into your AI client — not its source code. Generated by scripts/mcp-security-report.ts.

Scan your own machine

The same audit, run locally against your real config. It finds every MCP server installed across Claude Code, Cursor, Windsurf and Copilot, and flags credential exposure and filesystem grants. No install, no signup, nothing leaves your machine.

$ npx @curatedmcp/auditor
How the auditor works

Governing this across a team?

If several engineers are installing MCP servers across different AI clients, you have shadow MCP. CuratedMCP gives platform and AppSec teams one allowlist, one audit log, and local-first enforcement across every client — so you can say yes safely. Get the full report and a teardown of how to govern it.

See the control plane

Get the full report

The data, the methodology, and a governance teardown. High-signal only.