We ran munio (open source scanner) against 763 MCP servers from awesome-mcp-servers and npm. The methodology and scanner are public — pip install munio and you can reproduce the scan yourself.

The most surprising finding was that composition risk (safe tools chaining into dangerous flows) outweighs individual vulnerabilities. 7,425 toxic data flows vs 312 command injections.

Happy to answer questions about the methodology or specific finding categories.

31% is alarming but not surprising. MCP adoption is moving faster than security practices around it. The pattern is familiar — same thing happened with early REST APIs, GraphQL endpoints, and now MCP. The tooling for scanning and hardening always lags adoption by 12-18 months. What types of schema vulnerabilities are most common — injection through tool descriptions, or something more structural?