TruaceTracing the truth around AIMonday, July 13, 2026
TRV-2026-0137Version 1 · Certified

Written 2026-07-13 08:35:38 UTC · current record

Reason for this version

Certified into the record

Canonical text (the exact bytes fingerprinted)

TRUVACE RECORD VERSION
record: TRV-2026-0137
version: 1
kind: certified
reason: Certified into the record
timestamp: 2026-07-13T08:35:38.772171Z
status: published
lens: trace
sector: health
headline: Model Context Protocol (MCP) at First Glance: Studying the Security and Maintainability of MCP Servers
dek: Although Foundation Models (FMs), such as GPT-4, are increasingly used in domains like finance and software engineering, reliance on textual interfaces limits these models’ real-world interaction. To address this, FM providers introduced tool calling—triggering a proliferation of frameworks with distinct tool interfaces. In late 2024, Anthropic introduced the Model Context Protocol (MCP) to standardize this tool ecosystem. With SDK downloads surpassing twenty five million per week and 86% of enterprises using mo…
gain_title: Open-source MCP servers demonstrated strong health metrics despite rapid adoption with SDK downloads surpassing twenty five million per week.
problem_title: 7.2% of evaluated MCP servers contained general vulnerabilities and 5.5% exhibited MCP-specific tool poisoning, part of eight distinct vulnerabilities largely distinct from traditional software flaws.
trace_subject: health, security, and maintainability of open-source MCP servers enabling Foundation Model tool use
gain_reading: Open-source MCP servers demonstrated strong health metrics despite rapid adoption with SDK downloads surpassing twenty five million per week.
gain_evidence: Despite MCP servers demonstrating strong health metrics | SDK downloads surpassing twenty five million per week
problem_reading: 7.2% of evaluated MCP servers contained general vulnerabilities and 5.5% exhibited MCP-specific tool poisoning, part of eight distinct vulnerabilities largely distinct from traditional software flaws.
problem_evidence: 7.2% of servers contain general vulnerabilities | 5.5% exhibit MCP-specific tool poisoning
quick_read: In a first large-scale empirical study published May 2026, researchers examined 1,899 open-source Model Context Protocol servers, the standard introduced by Anthropic in late 2024 to unify tool calling for Foundation Models. Using health metrics and a combined general and MCP-specific scanner, they measured adoption signals and code quality across the ecosystem.

The work matters because MCP is already widely deployed, with weekly SDK downloads over twenty five million and use by 86% of enterprises using compatible models, so flaws in servers can propagate to finance, software engineering and other domains. Uncertainty remains about how findings from open-source servers translate to closed enterprise implementations and whether proposed registry scanning will be adopted.
limitation: Findings are limited to open-source MCP servers and may not generalize to proprietary enterprise deployments that represent majority of usage.
tag: Automated dual reading
key_points: Study evaluated 1,899 open-source MCP servers using hybrid pipeline combining general-purpose static analysis with MCP-specific scanner. | MCP introduced in late 2024 by Anthropic to standardize tool calling for Foundation Models like GPT-4, now used by 86% of enterprises using models supporting MCP tools. | Security analysis identified eight distinct vulnerabilities, with only three overlapping with traditional software vulnerabilities.
rundown: Researchers applied state-of-the-art health metrics and a hybrid analysis pipeline to 1,899 open-source MCP servers, finding 66% exhibit code smells and 14.4% contain nine bug patterns overlapping prior research.

Authors advocate for governance measures including incorporating MCP-specific vulnerabilities into standardized vulnerability databases and enabling automated security scanning within MCP registries.
sources:
- peer_reviewed | ACM Transactions on Software Engineering and Methodology | https://doi.org/10.1145/3814959 | 2026-05-12
prev: 0000000000000000000000000000000000000000000000000000000000000000
sha256
829de285e9ee0988f68606fd6a6c322a09f76434a87d48f63d40bbc0c810e224
previous
0000000000000000000000000000000000000000000000000000000000000000
Verify this record
How to verify without trusting this page

Fetch the canonical text of any version from /api/record/TRV-2026-0137 and hash it yourself — for example shasum -a 256 on the saved canonical field. The result must equal content_hash, and each version’s text ends with prev:followed by the prior version’s hash (version 1 chains to 64 zeros). If a single character of any version had been altered since certification, the chain would not reproduce.