Only 20% of MCP Servers Are 'A-Grade' Secure — Here's How to Vet Them Before Installing

The Security Problem Nobody Was Tracking

The Model Context Protocol (MCP) ecosystem has exploded, crossing 20,000 servers. This growth solved the tooling problem for AI agents but created a massive, unmonitored security surface. When you run claude code with an MCP server, that code executes with your permissions—accessing your shell, filesystem, and environment variables. A malicious or poorly written server is a direct supply chain attack on your development environment.

A new analysis from Loaditout scanned the entire public MCP ecosystem and assigned security grades. The results are stark: only 20.5% of servers (4,230 out of 20,652) earned an 'A' grade, meaning they passed all seven safety and quality criteria.

The 7-Point Checklist for a Safe MCP Server

Loaditout's grading system is a concrete framework you can apply manually or through their platform. An 'A' grade requires passing ALL seven checks:

1. Zero Injection Flags: No prompt injection patterns (e.g., ignore previous instructions, role overrides, data exfiltration attempts) in the description or README.
2. Zero Capability Flags: No references to dangerous capabilities like shell, exec, sudo, filesystem manipulation, or process.env access in metadata.
3. README Present: The repository must have a README with actual content. (Only 17.8% of servers have this).
4. Description Present: A non-empty description explaining what the server does.
5. Recently Committed: Last commit within the past 12 months. (93.6% pass this, as the ecosystem is young).
6. Community Validation: At least 5 GitHub stars. This filters out about half of all servers.
7. No Secret Env Vars Required: The base configuration must not require your API keys or credentials.

Servers that fail criteria 1 or 2 receive a 'C' or 'F' grade. The scan found 29 servers (0.1%) with critical injection patterns—these are active risks, not theoretical ones.

How to Vet and Install MCP Servers Safely, Right Now

1. Use Loaditout as Your MCP Directory

Stop installing servers directly from random GitHub links. Use Loaditout.ai as your search engine. You can filter specifically for A-graded servers. Their top 10 list by stars is a great starting point for trusted tools, including servers from anthropics/skills, langchain-ai/langchain, and microsoft/markitdown.

2. Install the skill-guard Plugin for Pre-Install Audits

The community is building tools to address this. The open-source skill-guard plugin performs a 9-layer security audit on a skill before you install it. It goes beyond simple pattern matching to include:

• Permission analysis
• LLM semantic analysis (catches prompt injection regex might miss)
• Data flow mapping
• Supply chain checks

While not yet a standard claude code plugin you can install via marketplace, it represents the direction the ecosystem must move: automated, local vetting.

3. Manually Apply the 7-Point Checklist

Before running claude code with a new server, spend two minutes checking:

• Visit the GitHub repo. Is there a README? Was it updated in the last year?
• Scan the README/description for obvious red flags: words like shell, exec, sudo, or any suspicious instructions.
• Check the stars. Fewer than 5 means zero community eyes on it.
• Read the configuration. Does it ask for your API keys in claude_desktop_config.json? If yes, understand it will have runtime access to them.

4. Manage Secrets with the blindfold Plugin

A related critical issue is secret management. By default, if Claude needs to use an API key, that value enters the context window and persists. The blindfold plugin solves this by storing secrets in your OS keychain (macOS Keychain, Linux secret-tool, Windows Credential Manager).

Install it via the plugin marketplace:

/claude plugin marketplace add thesaadmirza/blindfold
/claude plugin install blindfold

Once configured, you can store a token. Claude only sees a reference. When it needs to use the token in a command, it uses a wrapper:

secret-exec.sh 'curl -H "PRIVATE-TOKEN: {{GITLAB_TOKEN}}" https://gitlab.com/api/v4/user'

The wrapper injects the real value from your keychain and redacts it from all output Claude sees. Your secrets never enter the conversation context.

The Bottom Line: Change Your Workflow Today

The era of blindly npm install-ing MCP servers is over. The ecosystem is too large and too risky. Your new default workflow should be:

1. Search on Loaditout, filtered for A-graded servers.
2. Apply the 7-point checklist manually for any server not on Loaditout.
3. Use blindfold for any server that requires credentials.
4. Advocate for and use tools like skill-guard as they mature and integrate.

The 65% of servers in the 'B' grade are mostly under-documented but not inherently malicious. As authors add READMEs and gain stars, they'll graduate to 'A'. By preferring A-graded servers, you vote for a safer ecosystem with your installs.