arXiv — How AI agents are used across 177,000 MCP tools

AI relevance: This paper measures the tool layer of modern AI agents directly, which matters because real-world agent risk depends on what tools agents can invoke, not just what models can say.

• The authors analyze 177,436 public MCP tools published from November 2024 through February 2026, making this one of the largest empirical looks at the agent-tool ecosystem so far.
• They split tools into perception, reasoning, and action categories based on whether a tool reads data, analyzes it, or changes an external environment.
• Software development dominates: 67% of published tools and 90% of observed MCP server downloads were tied to software and IT workflows.
• The big trend is toward agency, not just access: the share of action tools rose from 27% to 65% of total observed usage across the sampled period.
• The paper says this growth is being driven in part by general-purpose tools that let agents operate less-constrained environments such as browsers and computers.
• Most action tools map to medium-stakes work, but the dataset also includes higher-stakes capabilities like financial transactions.
• The authors also detect rapid growth in AI-assisted MCP server creation, with AI help appearing in 28% of servers overall and rising sharply in newer ones.
• One especially sharp data point: the paper attributes 69% of AI-coauthored servers to Claude Code, suggesting coding agents are already shaping the supply side of the tool ecosystem.
• The policy angle is unusually practical: the authors argue regulators should monitor agent tools and distribution, not just model outputs, to spot risky deployment patterns early.

Why it matters

• Security teams keep talking about agent risk in the abstract; this paper gives a concrete picture of where agents are actually being pointed today.
• The rise in action-tool usage is the important signal. As agents move from reading to doing, the blast radius shifts from bad answers to file edits, API side effects, browser actions, and money movement.
• The paper also reinforces a supply-chain concern: if AI is helping generate a growing share of MCP servers, then the quality and security posture of agent tooling itself becomes a bigger operational risk.

What to do

• Inventory agent tools: track which MCP servers, plugins, and connectors are available to your agents, not just which models are deployed.
• Separate read from write access: tools that mutate external state deserve stricter approvals, narrower scopes, and stronger logging.
• Treat general-purpose tools as high risk: browser control, filesystem access, shell execution, and finance-related integrations should sit behind explicit controls.
• Review AI-generated tool code: if your team is using coding agents to produce MCP servers or skills, add security review before publication or internal rollout.
• Monitor the tool layer over time: agent risk changes as new connectors are added, not only when the base model changes.

Sources

• arXiv:2603.23802 — How are AI agents used? Evidence from 177,000 MCP tools
• arXiv HTML (experimental)
• PDF
• DOI: 10.48550/arXiv.2603.23802