Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreigglx3emnsc7yekrnmcrjqz3ob6aitlm2jtspwbpvuccbem43aiau",
    "uri": "at://did:plc:25rdn5elo5izoxrmtis34zuk/app.bsky.feed.post/3mp5mpqtoykj2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreibbuhq6bcoduylmzm6dzvtcrzbrynsrjkp7y3smqtftmdg2cvunji"
    },
    "mimeType": "image/webp",
    "size": 275390
  },
  "path": "/ad_0846/i-scanned-1200-mcp-configs-from-github-heres-what-i-found-45b3",
  "publishedAt": "2026-06-25T22:25:41.000Z",
  "site": "https://dev.to",
  "tags": [
    "security",
    "ai",
    "opensource",
    "python",
    "Pluto AgentGuard",
    "OWASP Agentic AI",
    "Context7",
    "Chrome DevTools",
    "Serena",
    "Activepieces",
    "mcp-chrome",
    "LinkedIn"
  ],
  "textContent": "_A deep-dive into the security posture of real-world AI agent deployments — and the open-source tool I built to fix it._\n\n##  TL;DR\n\nI collected 1,200 real MCP (Model Context Protocol) configuration files from public GitHub repositories, scanned them with an open-source security tool I built, and found that:\n\n  * **100% had security gaps**\n  * **20.7% had CRITICAL or HIGH issues** (hardcoded secrets, unauthenticated endpoints, unrestricted shell execution)\n  * **0 of 1,200** configured response limits or session caps\n  * The 9 most popular MCP servers (240K+ combined stars) all had findings — 5 were CRITICAL\n\n\n\nThe tool is Pluto AgentGuard. It's free, runs locally, and takes about 3 minutes to scan 1,200 configs.\n\n##  The Problem: We Secured LLM Outputs but Forgot About Agent Actions\n\nThe AI security conversation has focused heavily on what LLMs _say_ — hallucinations, jailbreaks, harmful content. Entire product categories exist for prompt filtering and output guardrails.\n\nBut the attack surface has shifted. Modern AI agents don't just generate text — they **do things** : browse the web, execute shell commands, query databases, push code, trigger CI/CD pipelines. The Model Context Protocol (MCP) is the dominant standard for connecting these capabilities to LLMs.\n\nHere's the disconnect: **nobody is auditing the configuration layer** that determines what agents can actually do. The MCP config file — usually `claude_desktop_config.json` or `.mcp.json` — is the security boundary between \"an AI assistant that helps me code\" and \"an AI assistant that can run arbitrary commands on my machine.\"\n\nI wanted to know: how secure are these configurations in the real world?\n\n##  Methodology: How I Collected 1,200 Configs\n\n###  Collection\n\nI used the GitHub Code Search API to find real MCP configuration files across public repositories. The search targeted:\n\n  * `claude_desktop_config.json` files containing `mcpServers`\n  * `.mcp.json` files with MCP server definitions\n  * `mcp_config.json` and similar variants\n\n\n\n**Collection rules:**\n\n  * Maximum 3 configs per repository (avoid bias from monorepos)\n  * Deduplicated by SHA-256 content hash (identical configs counted once)\n  * Only files that parsed as valid JSON with MCP server definitions\n  * 7-second delay between API pages (GitHub rate limit: 10 requests/minute)\n\n\n\n**Result:** 1,200 valid configs from 1,159 unique repositories, collected June 25, 2026.\n\n###  Scanning\n\nEach config was scanned using Pluto AgentGuard's `scan_mcp_config` function, which checks for:\n\n  1. **Dangerous server packages** — a curated database of 13+ MCP servers known to grant high-risk capabilities (shell execution, browser control, database write, source control write)\n  2. **Missing authentication** — remote MCP endpoints (`http://` or `https://` URLs) without auth headers or tokens\n  3. **Insecure transport** — HTTP instead of HTTPS for remote connections\n  4. **Hardcoded secrets** — 18+ regex patterns matching API keys, tokens, passwords, and private keys embedded in config values\n  5. **Context safety gaps** — missing response size limits (`max_tokens`, `max_response_length`) and session caps (`max_turns`, `session_timeout`)\n  6. **Human-in-the-loop (HITL) absence** — high-risk servers configured without approval gates\n\n\n\nEach finding is assigned a severity (CRITICAL / HIGH / MEDIUM / LOW / INFO) and mapped to OWASP Agentic AI threat categories.\n\nThe entire scan ran **locally in ~3 minutes**. No API keys. No cloud. No LLM calls.\n\n##  Results: The Numbers\n\n###  Overall (1,200 configs)\n\nMetric | Value\n---|---\nTotal configs scanned | 1,200\nUnique repositories | 1,159\nTotal findings | **2,904**\n🔴 CRITICAL | 88 (3.0%)\n🟠 HIGH | 280 (9.6%)\n🟡 MEDIUM | 2,536 (87.3%)\nConfigs with CRITICAL or HIGH | **20.7%**\nConfigs with any finding | **100%**\n\nEvery single config had at least a MEDIUM finding. One in five had a CRITICAL or HIGH issue.\n\n###  The Popular Servers (9 configs, 240K+ combined GitHub stars)\n\nI also separately scanned some of the highest-starred MCP servers to see how the _most popular, most copied_ configs look:\n\nServer | Stars | Max Severity | Key Finding\n---|---|---|---\nContext7 | 58K | 🔴 CRITICAL | No authentication on remote endpoint\nChrome DevTools MCP | 44K | 🔴 CRITICAL | Full Chrome DevTools Protocol access, no HITL\nSerena | 26K | 🔴 CRITICAL | Unrestricted shell execution, no HITL\nFastMCP | 26K | 🟡 MEDIUM | Context safety gaps\nActivepieces | 23K | 🔴 CRITICAL | No authentication on remote endpoint\nn8n MCP | 22K | 🟠 HIGH | Arbitrary code execution via workflows, no HITL\nGoogle MCP Toolbox | 16K | 🟠 HIGH | Unrestricted SQL (supports 20+ databases), no HITL\nFigma MCP | 15K | 🟡 MEDIUM | External content injection risk\nmcp-chrome | 12K | 🔴 CRITICAL | No auth + insecure HTTP transport\n\n**5 CRITICAL. 2 HIGH. 0 of 9 had response limits or session caps.**\n\nI've filed security issues on the CRITICAL repos: Context7, Chrome DevTools, Serena, Activepieces, mcp-chrome.\n\n##  The 4 Most Common Risks (With Examples)\n\n###  1. Browser Control Without Approval (CRITICAL)\n\nChrome DevTools MCP (44K★) gives the agent full Chrome DevTools Protocol access. That includes:\n\n\n\n    • Attach to existing Chrome sessions\n    • Execute JavaScript in page context\n    • Capture network response bodies (which may contain tokens or PII)\n    • Read cookies and local storage\n    • Intercept and modify requests\n\n\nWithout an approval gate, a prompt injection could instruct the agent to access session data from authenticated browser tabs.\n\n**Note:** Some clients like Claude Desktop prompt for approval before tool execution. However, the config itself doesn't enforce this — and not all MCP clients provide client-side HITL.\n\n###  2. Shell Execution Without Sandboxing (CRITICAL)\n\nSerena (26K★) provides shell execution capabilities to the agent. When enabled, the agent can run commands with the process user's permissions, which could include reading sensitive files, accessing credentials, or modifying the system.\n\nThe Serena team notes that the shell tool is disabled in most contexts and that Claude Desktop requires approval by default — a fair point. The risk surfaces when the config is used with clients that don't enforce HITL, or when users explicitly enable the shell tool without understanding the implications.\n\n###  3. Unauthenticated Remote Endpoints (CRITICAL)\n\nContext7 (58K★) and Activepieces (23K★) expose remote MCP endpoints over HTTPS with **no authentication**. Anyone who knows the URL can connect.\n\nThe typical config looks like:\n\n\n\n    {\n      \"mcpServers\": {\n        \"context7\": {\n          \"url\": \"https://mcp.context7.com/mcp\"\n        }\n      }\n    }\n\n\nNo API key. No OAuth. No mTLS. A remote API endpoint without client authentication.\n\n###  4. Missing Response Limits (MEDIUM — but universal)\n\n**Zero of 1,200 configs** set `max_response_length` or `max_tokens` on their MCP servers. This enables **context stuffing attacks** : a malicious tool returns an oversized response that pushes the agent's system prompt and safety instructions out of the context window.\n\nThis is the lowest-effort fix imaginable — add two lines to your config — and nobody does it.\n\n##  Why This Matters: The \"Left of Boom\" Gap\n\nThe current AI security stack looks like this:\n\n\n\n    [Prompt Filters] → [LLM] → [Output Guardrails] → [Agent Actions]\n         ✅ covered         ✅ covered            ❌ unmonitored\n\n\nTeams invest in prompt injection detection and output filtering. But the **agent action layer** — what the LLM actually _does_ through MCP tools — is a blind spot. There's no \"firewall\" between the LLM's tool-use decision and the actual execution.\n\nThis is the \"left of boom\" problem. By the time a guardrail catches something, the agent may have already:\n\n  * Executed a shell command\n  * Queried a database\n  * Triggered a CI/CD pipeline\n  * Accessed authenticated sessions\n\n\n\nYou need to catch the risk **before** the agent gets access to these capabilities. That means auditing the configuration layer.\n\n##  Introducing Pluto AgentGuard\n\nI built Pluto AgentGuard to fill this gap. It's a security launch gate for AI agents — you run it _before_ deploying, not after something breaks.\n\n###  What it does (7 commands)\n\nCommand | What it does\n---|---\n`aguard scan` | Static analysis of MCP configs, secrets, permissions\n`aguard test` | 22 attack scenarios across 6 packs test your policy's coverage\n`aguard whatif` | Simulate policy changes and see risk delta _before_ applying\n`aguard owasp` | Map findings to 20 OWASP-inspired controls\n`aguard evidence` | Generate launch readiness evidence packets\n`aguard baseline` | Create baselines, detect configuration drift over time\n`aguard monitor` | Replay agent traces, detect unauthorized tool calls\n\n###  Quick start\n\n\n    pip install pluto-aguard\n\n    # Scan your MCP config\n    aguard scan ./your-project/\n\n    # Test your policy against attack scenarios\n    aguard test --policy ./policy.yaml --attack-pack all\n\n    # See what happens if you add a new server\n    aguard whatif --config ./config.yaml\n\n    # Map to OWASP controls\n    aguard owasp ./your-project/\n\n\n###  What makes it different\n\nMost MCP security tools do config scanning. AgentGuard adds three things I haven't seen elsewhere:\n\n  1. **Policy testing** (`aguard test`): Instead of \"does your config have issues?\", it asks \"does your _policy_ actually stop attacks?\" — 22 scenarios covering prompt injection, data exfiltration, privilege escalation, context manipulation, supply chain, and social engineering.\n\n  2. **What-if simulation** (`aguard whatif`): Before you add a new MCP server or change a policy rule, simulate the impact. See the risk score delta. Catch regressions before they ship.\n\n  3. **Evidence generation** (`aguard evidence`): Produces a structured evidence packet (scan results + test results + OWASP mapping + risk score) for security review sign-off. Useful for enterprise teams that need launch gates with artifacts.\n\n\n\n\n###  CI/CD integration\n\nAgentGuard ships as a GitHub Action:\n\n\n\n    - uses: arpitha-dhanapathi/pluto-aguard@v0.9.2\n      with:\n        scan-path: ./\n        fail-on: high  # Block PR if HIGH or CRITICAL found\n        format: sarif   # Upload to GitHub Security tab\n\n\nIt also supports JSON, Markdown, HTML, and SARIF output formats.\n\n##  What You Should Do Right Now\n\nIf you're using MCP servers in any AI agent setup, here's a 5-minute security checklist:\n\n###  1. Run a scan (30 seconds)\n\n\n    pip install pluto-aguard\n    aguard scan ./your-project/\n\n\n###  2. Add response limits (1 minute)\n\nAdd to every MCP server in your config:\n\n\n\n    {\n      \"max_response_length\": 8000,\n      \"max_turns\": 20,\n      \"session_timeout\": 3600\n    }\n\n\n###  3. Add HITL for dangerous servers (2 minutes)\n\nIf you use Chrome DevTools, Playwright, Serena, filesystem, or any shell-capable server — enable human-in-the-loop approval. The exact mechanism depends on your client (Claude Desktop, Cursor, VS Code, etc.), but the principle is: **the agent should ask before executing destructive operations.**\n\n###  4. Authenticate remote endpoints (2 minutes)\n\nIf your MCP server is remote (HTTPS URL instead of stdio), add auth:\n\n\n\n    {\n      \"mcpServers\": {\n        \"my-server\": {\n          \"url\": \"https://my-server.com/mcp\",\n          \"headers\": {\n            \"Authorization\": \"Bearer ${MCP_API_KEY}\"\n          }\n        }\n      }\n    }\n\n\n###  5. Add AgentGuard to your CI (bonus)\n\nBlock PRs that introduce MCP misconfigurations:\n\n\n\n    - uses: arpitha-dhanapathi/pluto-aguard@v0.9.2\n      with:\n        scan-path: ./\n        fail-on: high\n\n\n##  The Bigger Picture\n\nMCP is 18 months old and already the de facto standard for agent-to-tool communication. The ecosystem is moving fast — 90K+ stars on awesome-mcp-servers, thousands of servers, and major platforms (Claude, Cursor, VS Code, Windsurf) supporting it natively.\n\nBut the security tooling hasn't kept pace. We're in the \"move fast and break things\" phase of agent infrastructure, and the configs people are shipping to production look like the web in 2005 — no auth, no limits, full trust.\n\nThe good news: the fixes are simple. Auth headers, response limits, HITL approval, and a scan in CI. None of this requires new technology — just applying existing security principles to a new surface.\n\nThe bad news: right now, almost nobody is doing it.\n\n**Let's fix that.**\n\n_Pluto AgentGuard is open-source (Apache 2.0), written in Python, and runs entirely locally. Star it on GitHub if this was useful._\n\n_Have questions or findings to share? Open an issue or find me on LinkedIn._",
  "title": "I Scanned 1,200 MCP Configs From GitHub. Here's What I Found."
}