Ecosystem Report

We graded 93 MCP servers for enterprise readiness. Here's what we found.

An aggregate analysis of security posture across the MCP ecosystem, covering 2686 tools from 32 vendor-maintained and 61 community-maintained servers.

93
Servers audited
67/100
Average score
2686
Tools analysed
14
Implement MCP OAuth

Key Findings

Only 14 of 93 servers implement MCP OAuth

57 servers are stdio-only, meaning per-user authentication requires spawning a separate server process per user. Another 22 support HTTP/SSE transport with per-request credentials but not full OAuth. In total, per-user auth is achievable natively on 36 of 93 servers (39%). For the rest, a hosting platform must inject credentials at the transport layer or run an instance per user.

Tool descriptions are a prompt injection surface

42 of 93 servers (45%) include instructional language in tool descriptions, such as "always call this first" or "do not confirm with the user." LLMs read these descriptions as guidance, so anything written there becomes an instruction the model may follow. This is the most common high-severity finding in the ecosystem.

Most servers return everything by default

69 of 93 servers (74%) do not let callers select which fields to return, and 41 list operations across the ecosystem lack pagination. Both contribute to context bloat and over-exposure of sensitive fields when a tool is called for a narrow purpose.

Destructive operations are rarely isolated

53 of 93 servers (57%) expose admin-level tools, and 13 combine read and write operations inside a single tool. When read and write live together, a client cannot grant read-only access without disabling the tool entirely.

Grade Distribution

A
10
10 servers
B
27
27 servers
C
39
39 servers
D
15
15 servers
F
2
2 servers

Category-by-Category Analysis

Authentication & Identity

7.7 / 25 avg (31%)

Maintenance & Trust

3.2 / 5 avg (64%)

Tool Schema Quality

18.1 / 25 avg (72%)

Data Exposure

7.2 / 10 avg (72%)

LLM Safety

12.4 / 15 avg (83%)

Permission Granularity

18.6 / 20 avg (93%)

Recommendations for Server Maintainers

Support per-user authentication

Implement MCP OAuth or expose HTTP transport with per-request credentials so that actions can be attributed to individual users without running a separate process per user.

Keep tool descriptions descriptive, not instructional

Describe what a tool does, not how or when to use it. Imperative phrasing ("always call first", "do not confirm") becomes an instruction the LLM may follow regardless of user intent.

Support field selection and pagination

Let callers specify which fields to return and paginate list operations. This reduces context bloat and limits over-exposure of sensitive fields when a tool is used for a narrow purpose.

Separate read and write tools

Split combined read/write operations into distinct tools, and isolate admin-level actions behind their own tools. Platforms can then grant read-only access without disabling functionality.

Deploy MCP servers with enterprise controls

CompleteFlow wraps MCP servers with per-user authentication, permission scoping, and audit logging, compensating for the gaps identified in this report.

Learn about CompleteFlow