We scanned 2,535 public MCP repos. 22% are critical.
Permission bypasses that disable all confirmation gates across frameworks with hundreds of thousands of users. 72 repos where every Claude startup silently pulls the latest untrusted version. A CVSS 8.8 CVE in the official MCP reference server. And a skill file attack surface no existing scanner covers.
Responsible disclosure in progress. Named findings are being disclosed to affected maintainers before this post is finalized. Evidence redacted. Full reports available on request.
Disclosed, verified, and confirmed.
Every named finding below was manually reviewed before disclosure. Several initially flagged findings were removed after context review (worktree docs, user-configured webhooks, type definitions).
Six frameworks. One missing disclosure.
--dangerously-skip-permissions exists for legitimate automation. The problem is when it becomes the default for all sessions, including interactive developer use — without a disclosure that users can read before installing.
The fix isn't removing the flag — it's documenting it prominently so users make an informed choice, and making bypass opt-in rather than default where possible.
72 repos. Every Claude startup pulls the latest untrusted version.
CHK-144 detects .mcp.json configs invoking MCP servers via npx without a version pin. No developer action required — just continued use.
Fix: "@upstash/context7-mcp@1.0.2" — one character change eliminates the vector.
Eight artifact types. The full attack surface.
No other public scanner currently covers all eight simultaneously.
Deterministic. Auditable. FP-controlled.
Scan your deployment
Free. No account required. Any public GitHub repo or local config.