We scanned 12 popular MCP servers. The most interesting finding was our own false positives.
Source: Dev.to
We built mcp-customs, a free, offline CLI that checks an MCP server for npm audit, but We pulled the current top MCP-related repos on GitHub by star count and
Server Stars Score Stamp
github/github-mcp-server 30.8k 97/100 CLEARED
BeehiveInnovations/pal-mcp-server 11.6k 0/100 FLAGGED*
firecrawl/firecrawl-mcp-server 6.6k 97/100 CLEARED
exa-labs/exa-mcp-server 4.6k 97/100 CLEARED
makenotion/notion-mcp-server 4.4k 29/100 FLAGGED
antvis/mcp-server-chart 4.2k 94/100 CLEARED
haris-musa/excel-mcp-server 3.9k 97/100 CLEARED
cloudflare/mcp-server-cloudflare 3.9k 0/100 FLAGGED
browserbase/mcp-server-browserbase 3.4k 22/100 FLAGGED
blazickjp/arxiv-mcp-server 2.9k 94/100 CLEARED
Jpisnice/shadcn-ui-mcp-server 2.8k 0/100 FLAGGED*
stickerdaniel/linkedin-mcp-server 2.4k 94/100 CLEARED
*see below — these two scores don’t mean what they look like they mean. Eleven of twelve servers had zero permission or scope declaration in Before publishing anything, we split every finding into “runtime code” subprocess.run(shell=True) in a pal-mcp-server scored 0/100 with 13 findings. Every single one was in tests/ or simulator_tests/ — fake API keys used to test a PII sanitizer, and a shell=True call in a test for a security-audit feature. Runtime-code findings: zero. shadcn-ui-mcp-server also scored 0/100. Two of its three findings were execSync() calls in a release-versioning script (scripts/bump-version.js) — not reachable by an agent, just a maintainer running npm version. We also caught our own bug mid-process: the scanner initially flagged a commented-out eval() call in notion-mcp-server as critical. It was inside a // comment. We fixed comment-stripping before re-running anything in this post — an earlier draft of this table would have been wrong. A heuristic scanner that can’t tell test code from runtime code, or a After filtering out test/dev noise, two real-code patterns remained that cloudflare/mcp-server-cloudflare, sandbox.container.app.ts: a file read and a file write both take a variable named reqPath directly into fs.readFile / fs.writeFile. We didn’t trace the full call path to confirm whether it’s constrained upstream — that’s a five-minute check for someone who knows the codebase, which is exactly the point of flagging it rather than asserting it. notion-mcp-server, src/init-server.ts: reads a spec file from a path resolved at startup. Lower stakes — looks like a local config path, not something an agent’s tool call controls — but same category. Everything else that scored a CLEARED or a high number had, at most, the Don’t read the scores in the table above as a safety ranking — read npx mcp-customs scan ./path-to-some-mcp-server
Fully offline, zero telemetry, free, Apache-2.0. The rules and the If you maintain one of the servers above and want help interpreting (or arguing with) a finding, open an issue. If you maintain a different MCP server and want to run this yourself before we do, that’s the whole point — we’d rather you find your own false positives than us find them for you in public.