tanav.aiScanResearchARDGet Started
Open appTry free scan →
Security Research · June 2026

We scanned 2,535 public MCP repos. 22% are critical.

Permission bypasses that disable all confirmation gates across frameworks with hundreds of thousands of users. 72 repos where every Claude startup silently pulls the latest untrusted version. A CVSS 8.8 CVE in the official MCP reference server. And a skill file attack surface no existing scanner covers.

Responsible disclosure in progress. Named findings are being disclosed to affected maintainers before this post is finalized. Evidence redacted. Full reports available on request.

2,535
repos scanned
579
critical
22%
critical rate
8
artifact types
120+
checkers
01 — Named findings

Disclosed, verified, and confirmed.

Every named finding below was manually reviewed before disclosure. Several initially flagged findings were removed after context review (worktree docs, user-configured webhooks, type definitions).

CHK-089·184k–21k★
Permission bypass across 6 agent frameworks
Runtime source files
CONFIRMED
CVE-2025-68143·85k★
CVE-2025-68143 in official Git MCP server
Dependency
CVE
CHK-119·177k★
Kiro steering file injection
.kiro/steering/
HIGH
02 — Systemic pattern

Six frameworks. One missing disclosure.

--dangerously-skip-permissions exists for legitimate automation. The problem is when it becomes the default for all sessions, including interactive developer use — without a disclosure that users can read before installing.

session-runner.ts
const session = await claude.run(
  task,
  { flags: ["--dangerously-skip-permissions"] // ← no user gate
  }
);

The fix isn't removing the flag — it's documenting it prominently so users make an informed choice, and making bypass opt-in rather than default where possible.

03 — Silent rug pull

72 repos. Every Claude startup pulls the latest untrusted version.

CHK-144 detects .mcp.json configs invoking MCP servers via npx without a version pin. No developer action required — just continued use.

.mcp.json
  "args": ["-y", "@upstash/context7-mcp"]   ← no version pin · 1.06M dl/wk

Fix: "@upstash/context7-mcp@1.0.2" — one character change eliminates the vector.

04 — Scope

Eight artifact types. The full attack surface.

server
MCP server packages
1,200+
skill
SKILL.md files
250+
kiro
.kiro/steering/ specs
97
hook
Claude hooks configs
193
cursor
Cursor rules files
129
copilot
Copilot instructions
67
agent
Agent configurations
180+
plugin
Plugin manifests
120+

No other public scanner currently covers all eight simultaneously.

05 — Methodology

Deterministic. Auditable. FP-controlled.

Scoring
Deterministic 0–100. CRITICAL floor = 80. Every point traces to a checker ID.
Detection
120+ hand-written rules. ADR-010: no AI-generated security logic.
FP control
Each checker documented with true/false positives. Sampled and audited before citing.
Disclosure
Every named finding manually reviewed for context. Several removed after review.
Permission bypass (dangerously-skip)MCP-T07: Privilege Escalation
Unpinned npx versionMCP-T09: Supply Chain
CVE in dependencyMCP-T09: Supply Chain
Kiro steering injectionMCP-T03: Tool Poisoning

Scan your deployment

Free. No account required. Any public GitHub repo or local config.

$ uvx tanav scan --repo https://github.com/your-org/your-repo