March 18. April 14. 56 community MCP servers — the tools your AI agent calls to browse the web, query databases, manage files, and execute code. 100% have vulnerabilities. 89% have critical issues. 5,252 critical findings. Command injection in browser-controlling agents. 30 command injection findings in Google's gemini-cli. The ecosystem is growing faster than anyone is securing it.
March 18 (32 repos) → April 14 (56 repos, v1.5.9)
A single scan is a snapshot. It tells you the state of the ecosystem at one moment, but it says nothing about trajectory — whether maintainers are paying attention, whether the ecosystem is maturing, whether warnings reach the people building these servers.
We ran the first scan on March 18 across 32 community MCP servers — repos tagged mcp-server, built on the @modelcontextprotocol/sdk, sorted by stars. We ran the second scan on April 14 against an expanded list of 56 repos, using CodeSlick CLI v1.5.9 — a release that fixed three false positive classes in the JavaScript and TypeScript analyzers (command injection, SQL injection, and SSRF pattern matching). Same methodology: codeslick-cli scan --all, 306 checks across JavaScript, TypeScript, and Python, including CodeSlick's 12 MCP-specific checks for tool poisoning, prompt injection vectors, and unauthorized capability exposure.
These are not test repos. They are the servers people install in Claude Code, Cursor, and Copilot to give their AI agent access to real systems.
Each scan queries GitHub for the top community MCP server repos by stars at that point in time. The two samples overlap significantly but are not identical — repos move in and out of the top results as new projects gain traction. The April 14 sample expanded from 32 to 56 repos as the ecosystem has grown. Repos only present in one scan are excluded from trend analysis.
Repos that had zero or fewer critical findings in March now have new critical vulnerabilities — introduced in the 26 days between scans. Active development without security feedback is creating new attack surface faster than anyone is closing it.
Serena is a software engineering agent — it reads your codebase, understands its structure, and executes tasks across files and symbols. The April 14 scan found 35 critical findings: 8 SQL injection, 7 command injection (CVSS 9.8), 14 known-malicious packages, and 2 insecure deserialization findings. An AI agent with access to your codebase and shell that has command injection in its own server is the definition of a privilege escalation path.
[CRITICAL 9.8] Command Injection vulnerability detected — oraios/serena
[CRITICAL 9.8] SQL Injection with string interpolation detected — oraios/serenaTrendRadar is an AI-driven public opinion monitor with MCP support for natural language analysis. The April 14 scan found 9 critical findings — including 1 command injection (CVSS 9.8), 1 eval() usage (CVSS 9.3), and 2 known-malicious packages. At 51k stars it is one of the most-starred repos in this scan.
Both repos give AI agents control over a browser — clicking, navigating, extracting content. Both carry confirmed command injection via exec() with user-controlled input. These findings existed in March and still exist in April. A prompt injection attack that reaches a browser-controlling agent can execute arbitrary shell commands on the host machine.
The most common critical finding across the 56-repo scan is known-malicious or known-vulnerable packages shipped as dependencies. The most common are deprecated packages that carry open CVEs and have not been replaced. MCP servers that depend on abandoned packages inherit their vulnerabilities without any indication in the server's own code. Running codeslick scan --all catches these because the dependency scanner runs alongside the static analyzer.
MCP servers that execute shell commands, run scripts, or invoke system utilities are especially dangerous when they pass unsanitized input to exec(), subprocess.Popen, or similar. When an AI agent calls a tool and the tool's argument flows directly into a shell command, an attacker who can influence the agent's tool calls — through prompt injection in a webpage the agent visits, for example — can execute arbitrary commands on the server. Multiple repos across the scan carry this pattern. Three are browser agents.
google-gemini/gemini-cli — Google's open-source AI terminal agent, the closest analogue to Claude Code — carries 30 command injection findings (CVSS 9.8), plus 3 deserialization vulnerabilities and 2 hardcoded credentials. At 101k stars it is the most-starred repo in this scan. The same class of vulnerability exists in user-built MCP servers, but finding it in a flagship AI CLI from Google illustrates how broadly these patterns appear when development velocity outpaces security review.
Among repos present in both scans, the majority showed no meaningful change. Critical findings persisted unchanged. This is not a sign that the repos are fine; it is a sign that nobody looked. Most of these repos have no security scanning in their CI pipeline, no automated dependency auditing, and no process for acting on vulnerability reports.
This is the MCP ecosystem's structural problem. The SDK makes it easy to build a server in an afternoon. It says nothing about how to secure one. The result is a growing collection of tools with production adoption and no security feedback loop.
Both scans used codeslick-cli scan --all against a shallow clone of each repo's default branch. The March 18 scan used codeslick-cli v1.5.8. The April 14 scan used v1.5.9, which fixed three false positive classes in the JavaScript and TypeScript analyzers — command injection pattern matching (now correctly excludes RegExp.prototype.exec()), SQL injection (now requires SQL keywords alongside string concatenation), and SSRF (now requires user-controlled input in fetch template literals). All findings cited in this post are from the v1.5.9 scan. 306 security checks across JavaScript, TypeScript, and Python — including OWASP 2025 top-10 classes, dependency scanning against known vulnerability advisories, and 12 MCP-specific checks for prompt injection vectors, unauthorized capability exposure, and tool poisoning patterns.
Repos were sourced from GitHub search: topic:mcp-server, @modelcontextprotocol/sdk dependency, sorted by stars, minimum 5 stars, excluding the official modelcontextprotocol/servers reference implementation.
All findings are in publicly accessible open-source repositories. Scanner v1.5.9 is available via npm install -g codeslick-cli. Maintainers of repos with critical findings are welcome to reach out at support@codeslick.dev for the full per-file findings or to discuss remediation.
Every finding in this post is detectable in under 60 seconds with the CodeSlick CLI. If you maintain an MCP server or use one in your development environment:
# Install once
npm install -g codeslick-cli
# Scan your MCP server repo
codeslick scan --all
The servers in this scan are installed in Claude Code, Cursor, and Copilot by tens of thousands of developers. Use CodeSlick's WebTool to paste and scan any MCP server file, or install the CLI to scan the full repo.