AgentAudit — MCP server security findings across 194 packages

2026-02-16 • Category: Security

AI relevance: MCP servers are agent tools; these findings map directly to prompt-to-command abuse and secret leakage risks in AI deployments.

• AgentAudit reports 118 security findings after auditing 194 packages across 211 reports.
• Severity split: 5 critical, 9 high, 63 medium, and 41 low issues.
• The most dangerous pattern is unsanitized shell execution via user-controlled input in MCP servers.
• Environment variable leakage shows up as the most common medium-severity issue (secrets in logs or LLM context).
• Other recurring weaknesses include over-broad filesystem access, missing input validation, and dependency-chain risks.
• Despite the issues, the registry-wide average Trust Score is 98/100, with only two packages flagged as caution/unsafe.

Why it matters

• Agent ecosystems turn prompt text into code paths; unsanitized input is effectively a remote command surface.
• Secrets leaked into agent context can be exfiltrated by prompt injection or malicious tool responses.
• Supply-chain risks in MCP packages scale quickly as teams share and reuse skills.

What to do

• Gate MCP installs with automated package checks before enabling tools in production agents.
• Enforce allowlists for shell execution, filesystem paths, and network destinations.
• Reduce tool scope to least privilege and audit dependency trees for transitive risk.

Links

• AgentAudit: The State of MCP Server Security in 2026
• AgentAudit stats API
• AgentAudit API/docs