Today, we're releasing our public MCP catalog with detailed risk analysis for every MCP server we've found on the internet: https://mcp.armor1.ai/mcp-directory
We all love agents and the power that MCPs unlock: suddenly your AI assistant can query databases, manage files, call APIs, and interact with the real world. But when we started adopting MCPs ourselves, we kept running into the same nagging questions:
Is this MCP safe? Where is my data actually going? Could it execute destructive actions? Is it susceptible to prompt injection? Can the LLM be tricked into calling something it shouldn't? And perhaps most concerning, can one MCP server influence the model and exfiltrate data meant for another?
We looked for answers and found... not much. No comprehensive catalog or standardized risk assessment. Nothing that gave us confidence before connecting an MCP to our agents.
So we built an MCP threat catalog and what we found was eye-opening.
We built what we believe is the deepest risk analysis pipeline for MCP servers:
• Provenance tracking: from an official source or community-contributed
• MCP spec conformance: does it follow the protocol correctly, or are there deviations that could cause unexpected behavior
• OWASP Top 10 for Agentic Apps: evaluate tool descriptions against the emerging threat categories specific to AI agents
• Static source analysis: analyze source code for AI-specific vulnerabilities, not just traditional ones
• CVE correlation: check dependencies against known vulnerabilities.
• Behavioral risk patterns: tool definitions that could enable prompt injection, privilege escalation, or cross-server data theft
What we found:
• Hundreds of credential leaks: API keys, tokens, and secrets exposed in server configurations and code.
• Dozens of MCP servers using known malicious packages: Not just vulnerable dependencies, but actually malicious ones.
• Tools attempting context poisoning: MCP servers designed to subvert the LLM and steal information via memory manipulation, potentially exfiltrating data meant for other connected servers.
We want everyone to realize the benefits of agentic AI, but not at the cost of security being an afterthought. So we're making this catalog free with no login, and we're committed to keeping it that way.
This is still a WIP. Looking forward to your feedback on what we need to improve, what we got right, and what we should prioritize next.