health, security, and maintainability of open-source MCP servers enabling Foundation Model tool use
Source article: Model Context Protocol (MCP) at First Glance: Studying the Security and Maintainability of MCP Servers
Although Foundation Models (FMs), such as GPT-4, are increasingly used in domains like finance and software engineering, reliance on textual interfaces limits these models’ real-world interaction. To address this, FM providers introduced tool calling—triggering a proliferation of frameworks with distinct tool interfaces. In late 2024, Anthropic introduced the Model Context Protocol (MCP) to standardize this tool ecosystem. With SDK downloads surpassing twenty five million per week and 86% of enterprises using mo…
Positive state: both sides are scored from claims and sources, not community votes.

"Medical Laboratory" by ben.dracup, CC BY 2.0.
In a first large-scale empirical study published May 2026, researchers examined 1,899 open-source Model Context Protocol servers, the standard introduced by Anthropic in late 2024 to unify tool calling for Foundation Models. Using health metrics and a combined general and MCP-specific scanner, they measured adoption signals and code quality across the ecosystem.
The work matters because MCP is already widely deployed, with weekly SDK downloads over twenty five million and use by 86% of enterprises using compatible models, so flaws in servers can propagate to finance, software engineering and other domains. Uncertainty remains about how findings from open-source servers translate to closed enterprise implementations and whether proposed registry scanning will be adopted.
- Study evaluated 1,899 open-source MCP servers using hybrid pipeline combining general-purpose static analysis with MCP-specific scanner.
- MCP introduced in late 2024 by Anthropic to standardize tool calling for Foundation Models like GPT-4, now used by 86% of enterprises using models supporting MCP tools.
- Security analysis identified eight distinct vulnerabilities, with only three overlapping with traditional software vulnerabilities.
Open-source MCP servers demonstrated strong health metrics despite rapid adoption with SDK downloads surpassing twenty five million per week.
7.2% of evaluated MCP servers contained general vulnerabilities and 5.5% exhibited MCP-specific tool poisoning, part of eight distinct vulnerabilities largely distinct from traditional software flaws.
The rundown
Researchers applied state-of-the-art health metrics and a hybrid analysis pipeline to 1,899 open-source MCP servers, finding 66% exhibit code smells and 14.4% contain nine bug patterns overlapping prior research.
Authors advocate for governance measures including incorporating MCP-specific vulnerabilities into standardized vulnerability databases and enabling automated security scanning within MCP registries.
Findings are limited to open-source MCP servers and may not generalize to proprietary enterprise deployments that represent majority of usage.
Sources
- Peer-reviewedACM Transactions on Software Engineering and Methodology2026-05-12
How should this claim be treated?
ace
The debate