Agent Shield — Audit of 17 popular MCP servers finds universal security gaps

AI relevance: MCP servers are the tool layer LLM agents use to read files, run commands, and call APIs — so security flaws in these servers translate directly to agent-level compromise (data exfil, code execution, credential theft).

• Agent Shield, an open-source static-analysis scanner by Elliot Liu, audited 17 of the most-installed MCP servers — including official implementations from Anthropic, AWS, Cloudflare, Docker, Brave, and Azure.
• The scan covered 4,198 files and ~1.2 million lines of code across TypeScript, JavaScript, Python, Go, and Rust.
• 100% of servers lack permission declarations — despite the MCP spec supporting them. Users have no machine-readable way to know what a server can access before installing it.
• A real eval() vulnerability was found in the Playwright MCP server (Automata Labs) at index.ts:535, allowing an agent to be tricked into executing arbitrary JavaScript via tool output.
• 5 of 17 servers (29%) scored as high risk, with Cloudflare's and AWS's monorepo servers hitting the worst score (-100) due to privilege patterns, phone-home behavior, and hardcoded credentials in example configs.
• The average security score was 34/100 across all scanned servers.
• Other recurring findings: unrestricted network requests (potential SSRF), environment variable leaks, and cross-file taint flows from untrusted input to sensitive sinks.
• Unlike npm (npm audit), PyPI (Safety), or Docker Hub (image scanning), the MCP ecosystem has no standard security scanning infrastructure.

Why it matters

• Agent platforms like Claude Desktop, Cursor, and Windsurf auto-load MCP servers as tool providers — a single compromised server gives the agent unintended file, network, or cluster access.
• The eval() finding in Playwright MCP is a textbook code injection: if an agent processes untrusted web content through this tool, an attacker can achieve RCE on the host.
• The lack of permission declarations means no pre-install review is possible without reading source code — a gap that scales badly as the ecosystem grows past 6,000 listed servers.

What to do

• Scan before installing: Run Agent Shield (npx @elliotllliu/agent-shield scan <dir>) on any MCP server before adding it to your agent config.
• Audit existing servers: Cross-check your current MCP installations against the Agent Shield findings — especially Playwright MCP if you use it.
• Demand permission manifests: Push MCP server authors to declare permissions in their server manifests, and file issues where they're missing.
• Restrict by default: Run MCP servers with least-privilege filesystem access, network egress filtering, and no eval()/Function() in the code path.

Sources

• Dev.to — We Scanned 17 Popular MCP Servers
• Agent Shield (GitHub)
• MCP spec — capability/permission declarations
• Playwright MCP server (affected)