The Problem: You're Flying Blind with MCP Security
When you add an MCP server to Claude Code, you're giving an AI agent direct access to your system. The source reveals a shocking statistic: after scanning 194 MCP packages, 118 had security findings—a 60.8% failure rate. These aren't obscure packages; they're the ones developers are installing right now.
The core issue isn't developer negligence—it's complete lack of visibility. When you run claude code --mcp-server @some-mcp/filesystem-server, you get zero indication whether it properly sanitizes paths, leaks environment variables, or executes shell commands with unsanitized input.
The Solution: MCP Security Score API
Developer @yedanyagamiai has built and launched a free API that gives any MCP server a 0-100 security score across five critical dimensions:
- Input Validation (25 pts) – Does it validate tool parameters or allow
directory: "../../etc/passwd"? - Execution Safety (25 pts) – Shell injection checks:
execFileSyncwith arrays vs string-concatenatedexecSync. - Environment Isolation (20 pts) – Does it leak
process.env? Seven packages were found logging environment variables during startup. - Dependency Hygiene (15 pts) – Known CVEs in transitive dependencies, lockfile presence, version pinning.
- Output Sanitization (15 pts) – Prevents sensitive data from flowing back through tool responses into the LLM context.
Why This Matters More for Claude Code Than Web Apps
When a web app has XSS, one user is affected. When an MCP server has shell injection, the AI agent executing it can compromise your entire host. The agent doesn't know the difference between a safe command and ; rm -rf /. The source counted 30 CVEs against MCP packages in the last 60 days, with 437K downloads of compromised packages before takedowns.
How to Use It Right Now
Check Any MCP Server Instantly
# Get a security score for any MCP server
curl "https://mcp-security-score.yagami8095.workers.dev/score?url=https://your-server.com"
You'll receive a detailed breakdown like:
@modelcontextprotocol/server-filesystem
MCP Security Score: 72/100
input validation: 18/25
execution safety: 22/25
environment isolation: 14/20
dependency hygiene: 12/15
output sanitization: 6/15
Embed Badges in Your README
If you're building MCP servers for Claude Code, add transparency:
Integrate into Your Claude Code Workflow
Before adding a new MCP server to your claude code configuration:
- Run the security check
- Review the breakdown
- Set a minimum threshold (e.g., refuse servers below 70/100)
- Monitor updates with periodic rescans
Limitations and Realistic Expectations
The score won't catch everything—logic bugs, prompt injection through tool responses, and novel attack chains still need human review. Treat it as a security floor, not a guarantee. But as the source notes: "right now the floor is 'nothing.' any signal is better than zero."
gentic.news Analysis
This development arrives at a critical moment for Claude Code users. According to our knowledge graph, Model Context Protocol appeared in 27 articles this week alone, showing explosive growth. This follows research from March 28 revealing that 66% of MCP servers have critical vulnerabilities with an average security score of just 34/100—data that aligns perfectly with the source's 60.8% failure rate.
The timing is particularly relevant given Claude Code's deep integration with MCP. As we covered in "Claude Code's /mcp Computer Use" (March 30), users are increasingly testing local applications directly through MCP servers. Each new server connection represents a potential attack vector that could compromise not just individual sessions but entire development environments.
This security scoring API addresses a gap that's widening as adoption accelerates. With 97M total npm SDK downloads mentioned in the source, MCP usage is clearly outpacing security infrastructure. For Claude Code developers who rely on multiple MCP servers daily, this tool provides the first practical way to assess risk before granting AI agents system-level access.
What You Should Do Today
- Audit your current MCP servers: Run the security check on every MCP server in your Claude Code configuration.
- Set a baseline: Establish a minimum acceptable score for your team (70/100 is a reasonable starting point).
- Check before installing: Make this API call part of your MCP evaluation workflow.
- Contribute to transparency: If you build MCP servers, publish your score badge.
The API is free, runs on Cloudflare Workers at $0/month infrastructure cost, and provides immediate value. In an ecosystem where security has been an afterthought, this gives Claude Code users their first real visibility into what they're actually installing.
