I scanned my MCP setup and it scored 0/100. Here's what was wrong.

I've been adding MCP servers to Claude and Cursor for months — GitHub, a filesystem server, a couple...

domenica 28 giugno 2026 New tab

538 words~2 min read

I've been adding MCP servers to Claude and Cursor for months — GitHub, a filesystem server, a couple of search servers, a little internal HTTP one I wrote. It works great. Then two things bugged me:

Some of those servers have no authentication at all. Anyone who can reach the URL can call my tools.

My context window felt full before I even typed a prompt.

Turns out it's not just me. A 2026 analysis of ~7,000 public MCP servers found 41% require no auth, 36.7% are SSRF-vulnerable, and only 8.5% use OAuth. So I wrote a tiny tool to check my own config — and it scored 0 out of 100.

The tool

I scanned my MCP setup and it scored 0/100. Here's what was wrong.

I scanned my MCP setup and it scored 0/100. Here's what was wrong.

Related reading

I got nervous about installing MCP servers, so I built a scanner for them

Your MCP Server Is Probably Overprivileged - Here's a Scanner For It

I wrote a read-only scanner for MCP / agent-gateway production-readiness

We scanned 12 popular MCP servers. The most interesting finding was our own…

I audited 6,762 MCP servers. Here's the state of the ecosystem and the trust…

3 MCP servers I actually use daily (and how to set them up)

Related reading

I got nervous about installing MCP servers, so I built a scanner for them

Your MCP Server Is Probably Overprivileged - Here's a Scanner For It

I wrote a read-only scanner for MCP / agent-gateway production-readiness

We scanned 12 popular MCP servers. The most interesting finding was our own…

I audited 6,762 MCP servers. Here's the state of the ecosystem and the trust…

3 MCP servers I actually use daily (and how to set them up)