SameDayDesk · Report · June 2026
The Model Context Protocol ecosystem is exploding, and so are the warnings — 71 malicious "skills" found in the wild, ~26% of published skills carrying vulnerabilities, 30+ MCP CVEs in a single 60-day stretch. So I pointed a static scanner at the servers listed in the official MCP registry. The headline is reassuring; the nuance is where the lesson is.
Of the 18 servers whose repositories I could actually clone and scan, none showed clear malware — no whole-environment exfiltration to suspicious hosts, no obfuscated eval(atob(...)) payloads, no committed binaries, no hardcoded credentials. Fifteen were clean; three drew review-level flags. That's a better picture than the breathless headlines suggest for the curated registry specifically.
The three "review" flags were exactly the patterns that are indistinguishable from benign by a static check:
curl … | bash) — used by malicious payloads and by official installers like Nextflow and Ollama. The host matters, not the pattern.postinstall) — legitimate for native builds, but they run code the moment you npm install.This is the core lesson of supply-chain scanning: the dangerous and the routine share a shape. A scanner can surface candidates in seconds, but separating a real threat from benign dual-use is human judgment.
Nearly half the listed entries I sampled — 15 of 33 — pointed to repositories that couldn't be cloned (private, moved, or removed). That's not a security verdict, but it's a freshness signal worth knowing: a registry listing is not a guarantee the code is still there, let alone unchanged since it was reviewed. The "mutable tool" / rug-pull problem is real, which is why a one-time scan isn't enough.
Read the install/lifecycle scripts; trace where secrets and process.env go; look for obfuscation and committed binaries; read SKILL.md and tool descriptions as instructions. Or run a scanner that checks all of it in seconds — and re-checks on every upstream release, because clean-today isn't clean-forever.
npx -y github:epistemedeus/skillguard https://github.com/owner/repo
SkillGuard statically scans a Claude Code skill, plugin, or MCP server for these exact patterns, and never executes the code it inspects. Free CLI + MCP server + CI Action. Pull in third-party servers regularly? A $29 human audit separates real threats from benign dual-use, or $12/mo Watch mode re-scans on every release.
SkillGuard → Free CLI on GitHubMethod: 33 servers from the official MCP registry; for each, a shallow git clone (no install, no execution) followed by static pattern analysis. 15 repositories were unreachable at scan time and excluded from the verdict counts. Static heuristics surface candidates and can miss a novel, determined attack — treat this as a first pass, not a clearance. Run your own: SkillGuard · vetting guide: how to vet a skill or MCP server.