The State of MCP

The population is inflated by an order of magnitude

The counts everyone repeats are marketing. Across four registries we find 38,157 distinct servers advertised. The official MCP registry lists 10,997, plus 1,909 remote-only hosted servers with no public repo. We deep-scanned 2,468 firsthand and found roughly ~1,200 that are genuinely evaluable: maintained, documented, and not an abandoned experiment.

That is a 10 to 15x gap between what is advertised and what is real. One catalogue auto-indexes roughly 31,700 repos, anything vaguely MCP-shaped, and reports tens of thousands. The maintained core is a fraction of that. "10,000-plus MCP servers" is true only if you count the experiments no one has touched in six months.

The gap between advertised and evaluable is not a footnote. It is the finding.

Adoption is brutally concentrated

Listings count what exists; downloads count what people run. Across 3,706 tracked npm packages we see 48.5M monthly downloads, but the distribution is top-heavy to the point of distortion.

A handful of vendor-backed servers carry most of the volume; thousands of community servers see almost none. "The ecosystem" people actually depend on is small, and largely built by a few companies. Counts include CI, mirrors, and bots, so read them as an upper bound; the npm pass is complete, the PyPI pass is pending.

More than a third of the most-used servers ship a risky pattern

We ran a static, read-only read of the source for the 500 most-used active servers. We never connect to, run, install, or probe a server. We look for security-relevant patterns in code that is already public.

SSRF surface is the dominant risk: an agent tool that builds an outbound request from a model-supplied argument with no allow-list, the canonical way an agent gets steered at an internal endpoint. Command injection (3.6%) and arbitrary code execution (3.2%) are rarer but more direct. By surface tier: 15 High, 164 Elevated, 320 Low.

What this is not: confirmed vulnerabilities, exploit proof, or anything run against a live server. The heuristics favour precision over recall, so every figure is a lower bound. Per-repo findings are held for coordinated disclosure to maintainers, not named here. "High surface" means the code does risky things in risky ways and deserves a closer look, never that a server is compromised.

This is the honest version of the SSRF percentages that circulate unsourced: measured firsthand, from the code, with the method published.

What it means

• For builders. The registry count is noise. Filter to the maintained, evaluable core, read the source, and do not wire a payment credential or filesystem access into a server you have not looked at.
• For the ecosystem. Registries rank by recency and stars, not quality or safety. The missing signal is exactly what a scored, security-aware registry would provide.
• For the agentic web. The protocol shipped fast; the safety layer did not. Mandates, budgets, provenance, and identity are absent by default. That gap is why Major Labs builds them.

Methodology & honest caveats

• Four sources, deduped. The official MCP registry, Glama, Smithery, and our firsthand GitHub deep-scan, deduplicated by repository. Population is a lower bound; search-driven discovery misses untagged repos.
• Read-only throughout. Every pass, including the security sweep, reads public source and metadata via APIs. No MCP server is connected to, run, or probed.
• Security is static and heuristic. Pattern analysis of source for the 500 most-used active servers, tuned for precision. Signals of attack surface, not confirmed vulnerabilities.
• Downloads are partial. npm and PyPI APIs; coverage disclosed, counts include automated traffic.
• The series cannot be backfilled. A longitudinal record can only be built going forward, which is why we never miss a week.