I Scanned 1,200 MCP Configs From GitHub. Here's What I Found.
I Scanned 1,200 MCP Configs From GitHub. Here’s What I Found.
我扫描了 GitHub 上的 1,200 个 MCP 配置文件,以下是我的发现。
A deep-dive into the security posture of real-world AI agent deployments — and the open-source tool I built to fix it. 这是一次对现实世界 AI 智能体部署安全状况的深度剖析,以及我为解决该问题而构建的开源工具。
TL;DR I collected 1,200 real MCP (Model Context Protocol) configuration files from public GitHub repositories, scanned them with an open-source security tool I built, and found that: 简而言之:我从 GitHub 公共仓库中收集了 1,200 个真实的 MCP(模型上下文协议)配置文件,并使用我开发的开源安全工具进行了扫描,结果发现:
- 100% had security gaps
- 20.7% had CRITICAL or HIGH issues (hardcoded secrets, unauthenticated endpoints, unrestricted shell execution)
- 0 of 1,200 configured response limits or session caps
- The 11 most popular MCP servers (307K+ combined stars) all had findings — 5 were CRITICAL
- 100% 的配置存在安全漏洞
- 20.7% 存在严重(CRITICAL)或高危(HIGH)问题(如硬编码密钥、未授权端点、不受限的 Shell 执行)
- 1,200 个配置中,没有一个设置了响应限制或会话上限
- 最受欢迎的 11 个 MCP 服务器(总计超过 30.7 万颗星)全部存在安全隐患,其中 5 个被评为“严重”级别
The tool is Pluto AgentGuard. It’s free, runs locally, and takes about 3 minutes to scan 1,200 configs. 该工具名为 Pluto AgentGuard。它是免费的,在本地运行,扫描 1,200 个配置文件仅需约 3 分钟。
The Problem: We Secured LLM Outputs but Forgot About Agent Actions
问题所在:我们保护了 LLM 的输出,却忽略了智能体的操作
The AI security conversation has focused heavily on what LLMs say — hallucinations, jailbreaks, harmful content. Entire product categories exist for prompt filtering and output guardrails. But the attack surface has shifted. Modern AI agents don’t just generate text — they do things: browse the web, execute shell commands, query databases, push code, trigger CI/CD pipelines. 关于 AI 安全的讨论一直高度集中在 LLM 的“言论”上——如幻觉、越狱和有害内容。目前已有专门针对提示词过滤和输出防护的完整产品类别。但攻击面已经发生了转移。现代 AI 智能体不仅生成文本,它们还会执行操作:浏览网页、执行 Shell 命令、查询数据库、推送代码、触发 CI/CD 流水线。
The Model Context Protocol (MCP) is the dominant standard for connecting these capabilities to LLMs. Here’s the disconnect: nobody is auditing the configuration layer that determines what agents can actually do. The MCP config file — usually claude_desktop_config.json or .mcp.json — is the security boundary between “an AI assistant that helps me code” and “an AI assistant that can run arbitrary commands on my machine.” I wanted to know: how secure are these configurations in the real world?
模型上下文协议(MCP)是将这些能力连接到 LLM 的主流标准。这里存在一个脱节:没有人审计决定智能体实际能做什么的配置层。MCP 配置文件(通常是 claude_desktop_config.json 或 .mcp.json)是“一个帮我写代码的 AI 助手”与“一个可以在我的机器上运行任意命令的 AI 助手”之间的安全边界。我想知道:这些配置在现实世界中到底有多安全?
Methodology: How I Collected 1,200 Configs
方法论:我是如何收集 1,200 个配置文件的
Collection I used the GitHub Code Search API to find real MCP configuration files across public repositories. The search targeted:
claude_desktop_config.jsonfiles containingmcpServers.mcp.jsonfiles with MCP server definitionsmcp_config.jsonand similar variants
收集 我使用 GitHub 代码搜索 API 在公共仓库中查找真实的 MCP 配置文件。搜索目标包括:
- 包含
mcpServers的claude_desktop_config.json文件 - 带有 MCP 服务器定义的
.mcp.json文件 mcp_config.json及类似的变体
Collection rules:
- Maximum 3 configs per repository (avoid bias from monorepos)
- Deduplicated by SHA-256 content hash (identical configs counted once)
- Only files that parsed as valid JSON with MCP server definitions
- 7-second delay between API pages (GitHub rate limit: 10 requests/minute)
收集规则:
- 每个仓库最多收集 3 个配置(避免单体仓库带来的偏差)
- 通过 SHA-256 内容哈希去重(相同的配置只计算一次)
- 仅限解析为有效 JSON 且包含 MCP 服务器定义的文件
- API 页面请求间保持 7 秒延迟(GitHub 速率限制:10 次请求/分钟)
Result: 1,200 valid configs from 1,159 unique repositories, collected June 25, 2026. 结果: 截至 2026 年 6 月 25 日,从 1,159 个独立仓库中收集到 1,200 个有效配置。
Scanning
Each config was scanned using Pluto AgentGuard’s scan_mcp_config function, which checks for:
- Dangerous server packages — a curated database of 13+ MCP servers known to grant high-risk capabilities (shell execution, browser control, database write, source control write)
- Missing authentication — remote MCP endpoints (http:// or https:// URLs) without auth headers or tokens
- Insecure transport — HTTP instead of HTTPS for remote connections
- Hardcoded secrets — 18+ regex patterns matching API keys, tokens, passwords, and private keys embedded in config values
- Context safety gaps — missing response size limits (
max_tokens,max_response_length) and session caps (max_turns,session_timeout) - Human-in-the-loop (HITL) absence — high-risk servers configured without approval gates
扫描
每个配置都使用 Pluto AgentGuard 的 scan_mcp_config 函数进行扫描,检查内容包括:
- 危险的服务器包 —— 一个包含 13 个以上已知具有高风险能力(Shell 执行、浏览器控制、数据库写入、源码控制写入)的 MCP 服务器数据库
- 缺失身份验证 —— 没有认证头或令牌的远程 MCP 端点(http:// 或 https:// URL)
- 不安全的传输 —— 远程连接使用 HTTP 而非 HTTPS
- 硬编码密钥 —— 18 种以上匹配嵌入在配置值中的 API 密钥、令牌、密码和私钥的正则表达式
- 上下文安全漏洞 —— 缺失响应大小限制(
max_tokens、max_response_length)和会话上限(max_turns、session_timeout) - 缺失人工介入(HITL) —— 高风险服务器在配置时没有设置审批门禁
Each finding is assigned a severity (CRITICAL / HIGH / MEDIUM / LOW / INFO) and mapped to OWASP Agentic AI threat categories. The entire scan ran locally in ~3 minutes. No API keys. No cloud. No LLM calls. 每个发现都被分配了一个严重性等级(严重/高/中/低/信息),并映射到 OWASP 智能体 AI 威胁类别。整个扫描在本地运行,耗时约 3 分钟。无需 API 密钥,无需云端,无需调用 LLM。
Results: The Numbers
结果:数据概览
| Metric | Value |
|---|---|
| Total configs scanned | 1,200 |
| Unique repositories | 1,159 |
| Total findings | 2,904 |
| 🔴 CRITICAL | 88 (3.0%) |
| 🟠 HIGH | 280 (9.6%) |
| 🟡 MEDIUM | 2,536 (87.3%) |
| Configs with CRITICAL or HIGH | 20.7% |
| Configs with any finding | 100% |
| 指标 | 数值 |
|---|---|
| 扫描配置总数 | 1,200 |
| 独立仓库数 | 1,159 |
| 发现问题总数 | 2,904 |
| 🔴 严重 (CRITICAL) | 88 (3.0%) |
| 🟠 高危 (HIGH) | 280 (9.6%) |
| 🟡 中危 (MEDIUM) | 2,536 (87.3%) |
| 包含严重或高危的配置 | 20.7% |
| 包含任何问题的配置 | 100% |
Every single config had at least a MEDIUM finding. One in five had a CRITICAL or HIGH issue. 每一个配置至少都存在一个“中危”级别的问题。五分之一的配置存在“严重”或“高危”问题。
The Popular Servers (11 configs, 307K+ combined GitHub stars)
热门服务器(11 个配置,GitHub 总星数超过 30.7 万)
I also separately scanned the 11 highest-starred MCP servers to see how the most popular, most copied configs look: 我还单独扫描了星数最高的 11 个 MCP 服务器,看看最流行、被复制最多的配置是什么样子的:
(Table omitted for brevity, but highlights include:)
- 5 CRITICAL. 4 HIGH. 0 of 11 had response limits or session caps.
- I’ve filed security issues on the CRITICAL repos: Context7, Chrome DevTools, Serena, Activepieces, mcp-chrome.
(表格从略,但重点包括:)
- 5 个严重,4 个高危。11 个中没有一个设置了响应限制或会话上限。
- 我已在这些存在严重问题的仓库中提交了安全议题:Context7, Chrome DevTools, Serena, Activepieces, mcp-chrome。
The 4 Most Common Risks (With Examples)
4 个最常见的风险(附示例)
1. Browser Control Without Approval (CRITICAL) Chrome DevTools MCP (44K★) gives the agent full Chrome DevTools Protocol access. That means:
- Attach to your existing Chrome sessions
- Execute JavaScript in page context
- Capture network response bodies (credentials, tokens, PII)
- Read cookies and local storage
- Intercept and modify requests
1. 未经审批的浏览器控制(严重) Chrome DevTools MCP (44K★) 赋予智能体完整的 Chrome DevTools 协议访问权限。这意味着:
- 附加到你现有的 Chrome 会话
- 在页面上下文中执行 JavaScript
- 捕获网络响应体(凭据、令牌、个人身份信息)
- 读取 Cookie 和本地存储
- 拦截并修改请求
A prompt injection — say, a malicious instruction hidden in a webpage the agent is reading — can instruct the agent to exfiltrate your session cookies from Gmail, your bank, or your corporate SSO. The default config has zero approval gates. The agent acts autonomously. 提示词注入——比如隐藏在智能体正在阅读的网页中的恶意指令——可以指示智能体窃取你 Gmail、银行或企业 SSO 的会话 Cookie。默认配置没有任何审批门禁。智能体完全自主行动。
2. Shell Execution Without Sandboxing (CRITICAL) Serena (26K★) gives the agent unrestricted shell access. Not “run this safe command” — full bash with the agent’s user permissions. Combined with filesystem read/write, a prompt injection can:
- Read
~/.ssh/id_rsaand exfiltrate it - Install a reverse shell
- Modify
.bashrcfor persistence - Access cloud credentials in
~/.aws/credentials
2. 无沙箱的 Shell 执行(严重) Serena (26K★) 赋予智能体不受限的 Shell 访问权限。不是“运行这个安全命令”,而是以智能体的用户权限运行完整的 Bash。结合文件系统的读写权限,提示词注入可以:
- 读取
~/.ssh/id_rsa并将其窃取 - 安装反向 Shell
- 修改
.bashrc以实现持久化 - 访问
~/.aws/credentials中的云凭据
3. Unauthenticated Remote Endpoints (CRITICAL) Context7 (58K★) and Activepieces (23K★) expose remote MCP endpoints over HTTPS with no authentication. Anyone who knows the URL can connect. 3. 未经身份验证的远程端点(严重) Context7 (58K★) 和 Activepieces (23K★) 通过 HTTPS 暴露远程 MCP 端点且没有任何身份验证。任何知道 URL 的人都可以连接。