Show HN: I scanned 87 MCP servers for agent-authority hygiene – leaderboard
capframe.ai has published a security leaderboard for MCP servers, grading 87 published servers using a deterministic rule engine with a score out of 100. Each Critical finding deducts 10 points, High 4, Medium 2, Low 1. The leaderboard shows top servers scoring 100 (e.g., magicnpm, Cloudflare MCP, Elasticsearch MCP), while also revealing medium and high severity issues like unconstrained string inputs and missing side-effect declarations.
§ leaderboardcapframe.leaderboard.v1
The MCP security leaderboard.
Every published MCP server, graded against the deterministic capframe rule engine. Score 100 is a clean surface; every Critical finding takes 10 points. High 4, Medium 2, Low 1. No black boxes — the formula is public, the rules are open-source.
Servers scanned
89
Generated
2026-06-26
Scanner
mcp-recon v0.2.0
Schema
findings.v2
§ biggest movers →diff vs. previous scan
Sort
SourceTier
89 of 89 servers
#ServerScoreToolsFindingsSourceLast scan
01
magicnpm:@21st-dev/[email protected]
A1001— clean —registry2026-06-2602
mcp-server-cloudflarenpm:@cloudflare/[email protected]
A1001— clean —registry2026-06-2603
mcp-servernpm:@e2b/[email protected]
A1001— clean —registry2026-06-2604
mcp-server-elasticsearchnpm:@elastic/[email protected]
A1004— clean —registry2026-06-2605
playwright-mcp-servernpm:@executeautomation/[email protected]
A1001— clean —registry2026-06-2606
server-calendar-autoauth-mcpnpm:@gongrzhe/[email protected]
A1001— clean —registry2026-06-2607
mcp-fetchnpm:@kazuph/[email protected]
A1001— clean —registry2026-06-2608
server-aws-kb-retrievalnpm:@modelcontextprotocol/[email protected]
A1001— clean —registry2026-06-2609
server-gdrivenpm:@modelcontextprotocol/[email protected]
A1002— clean —registry2026-06-2610
server-google-mapsnpm:@modelcontextprotocol/[email protected]
A1007— clean —registry2026-06-2611
notion-mcp-servernpm:@notionhq/[email protected]
A1001— clean —registry2026-06-2612
mcpnpm:@stripe/[email protected]
A1001— clean —registry2026-06-2613
exa-mcp-servernpm:[email protected]
A1003— clean —registry2026-06-2614
linear-mcpnpm:[email protected]
A1001— clean —registry2026-06-2615
mcp-server-kubernetesnpm:[email protected]
A1001— clean —registry2026-06-2616
perplexity-mcpnpm:[email protected]
A1001— clean —registry2026-06-2617
mcp-atlassianpypi:[email protected]
A1000— clean —sandbox2026-06-2618
mcp-azure-devopspypi:[email protected]
A1001— clean —registry2026-06-2619
mcp-llms-txtpypi:[email protected]
A1001— clean —registry2026-06-2620
mcp-server-bigquerypypi:[email protected]
A1003— clean —registry2026-06-2621
mcp-server-dockerpypi:[email protected]
A1001— clean —registry2026-06-2622
mcp-server-jirapypi:[email protected]
A1001— clean —registry2026-06-2623
mcp-server-kubernetespypi:[email protected]
A1001— clean —registry2026-06-2624
mcp-server-postgrespypi:[email protected]
A1001— clean —registry2026-06-2625
Find-A-Domain MCP▸ details▾ hidehttps://api.findadomain.dev/mcp
A982
1M
http2026-06-26
medium
Tool check_domain accepts unconstrained string input· check_domainunconstrained input
The following string parameter(s) have no maxLength constraint: name, tld. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
Open full report→
26
Astro Docs MCP▸ details▾ hidehttps://mcp.docs.astro.build/mcp
A981
1M
http2026-06-26
medium
Tool search_astro_docs accepts unconstrained string input· search_astro_docsunconstrained input
The following string parameter(s) have no maxLength constraint: query. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
Open full report→
27
Exa Search MCP▸ details▾ hidehttps://mcp.exa.ai/mcp
A982
1M
http2026-06-26
medium
Tool web_search_exa accepts unconstrained string input· web_search_exaunconstrained input
The following string parameter(s) have no maxLength constraint: query. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
Open full report→
28
grep.app MCP▸ details▾ hidehttps://mcp.grep.app
A981
1M
http2026-06-26
medium
Tool searchGitHub accepts unconstrained string input· searchGitHubunconstrained input
The following string parameter(s) have no maxLength constraint: path, query, repo. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
Open full report→
29
Remote MCP Directory▸ details▾ hidehttps://mcp.remote-mcp.com
A981
1M
http2026-06-26
medium
Tool ListRemoteMCPServers accepts unconstrained string input· ListRemoteMCPServersunconstrained input
The following string parameter(s) have no maxLength constraint: query. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
Open full report→
30
server-postgres▸ details▾ hidenpm:@modelcontextprotocol/[email protected]
A981
1M
sandbox2026-06-26
medium
Tool query accepts unconstrained string input· queryunconstrained input
The following string parameter(s) have no maxLength constraint: sql. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
Open full report→
31
server-sequential-thinking▸ details▾ hidenpm:@modelcontextprotocol/[email protected]
A981
1M
sandbox2026-06-26
medium
Tool sequentialthinking accepts unconstrained string input· sequentialthinkingunconstrained input
The following string parameter(s) have no maxLength constraint: branchId, thought. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
Open full report→
32
Figma (Framelink) MCP▸ details▾ hidenpm:[email protected]
A982
1M
sandbox2026-06-26
medium
Tool download_figma_images accepts unconstrained string input· download_figma_imagesunconstrained input
The following string parameter(s) have no maxLength constraint: localPath. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
Open full report→
33
Cloudflare Docs MCP▸ details▾ hidehttps://docs.mcp.cloudflare.com/mcp
A962
2M
http2026-06-26
medium
Tool search_cloudflare_documentation accepts unconstrained string input· search_cloudflare_documentationunconstrained input
The following string parameter(s) have no maxLength constraint: query. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
medium
Tool search_cloudflare_documentation description mentions money but no money side-effect is declared· search_cloudflare_documentationexcessive agency
Description: "Search the Cloudflare documentation.
This tool should be used to answer any question about Cloudflare products or features, including:
- Workers, Pages, R2, Images, Stream, D1, Durable Objects, KV, Workflows, Hyperdrive, Queues
- AI Search, Workers AI, Vectorize, AI Gateway, Browser Rendering
- Zero Trust, Access, Tunnel, Gateway, Browser Isolation, WARP, DDOS, Magic Transit, Magic WAN
- CDN, Cache, DNS, Zaraz, Argo, Rulesets, Terraform, Account and Billing
Results are returned as semantically similar chunks to the query.
" -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include money. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.
fix: Add money to the tool's side_effects declaration, or rewrite the description to clarify that no actual money moves.
Open full report→
34
Context7 MCP▸ details▾ hidehttps://mcp.context7.com/mcp
A962
2M
http2026-06-26
medium
Tool resolve-library-id accepts unconstrained string input· resolve-library-idunconstrained input
The following string parameter(s) have no maxLength constraint: libraryName, query. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
medium
Tool query-docs accepts unconstrained string input· query-docsunconstrained input
The following string parameter(s) have no maxLength constraint: libraryId, query. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
Open full report→
35
DeepWiki MCP▸ details▾ hidehttps://mcp.deepwiki.com/mcp
A963
2M
http2026-06-26
medium
Tool read_wiki_structure accepts unconstrained string input· read_wiki_structureunconstrained input
The following string parameter(s) have no maxLength constraint: repoName. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
medium
Tool read_wiki_contents accepts unconstrained string input· read_wiki_contentsunconstrained input
The following string parameter(s) have no maxLength constraint: repoName. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.
fix: Add a maxLength to each string property, or constrain with an enum or pattern. Most legitimate tool inputs fit under a few hundred bytes.
Open full report→
36
OpenZeppelin Stellar Contracts MCP▸ details▾ hidehttps://mcp.openzeppelin.com/contracts/stellar/mcp
A963
1H
http2026-06-26
high
Tool stellar-non-fungible accepts an unconstrained URL / endpoint parameter· stellar-non-fungiblessrf surface
The parameter(s) tokenUri look like URL or endpoint inputs but carry no pattern or enum constraint. An agent tricked by an indirect-injection payload can invoke this tool with an internal-service URL (e.g. http://169.254.169.254/) to exfiltrate cloud metadata, probe internal APIs, or pivot to services the host can reach but the caller cannot.
fix: Constrain the URL parameter with an allow-list enum, or a pattern that restricts scheme and domain. Validate server-side against an allow-list and reject private / loopback / link-local address ranges at the HTTP client level.
Open full report→
37
Context Awesome MCP▸ details▾ hidehttps://www.context-awesome.com/api/mcp
A962
2M
http2026-06-26
medium
Tool find_awesome_section accepts unconstrained string input· find_awesome_sectionunconstrained input
The following string parameter(s) have no maxLength constr
[truncated for AI cost control]