Ecosystem Report

We graded 93 MCP servers for enterprise readiness. Here's what we found.

An aggregate analysis of security posture across the MCP ecosystem, covering 2686 tools from 32 vendor-maintained and 61 community-maintained servers.

93
Servers audited
67
Average score
2686
Tools analysed
79
Per-user OAuth

Key Findings

Most servers lack per-user authentication

79 of 93 servers support per-user auth: either via HTTP transport (accepting Authorization headers per request) or the MCP OAuth spec. The remaining 14 read a single credential from environment variables at startup. A platform can still achieve per-user isolation by spawning separate instances, but the servers themselves have no concept of user identity.

Authentication & Identity scores lowest across the ecosystem

Authentication & Identity averages 31% of its maximum score. Most servers are stdio-only with shared env var credentials, preventing per-user token passthrough.

Read-only servers score significantly higher

The 15 read-only servers average 70, compared to 67 for the 78 servers with write capabilities. Read-only servers avoid permission and schema deductions.

Vendor servers average 4 points higher

Vendor-maintained servers (32) average 70/100, while community servers (61) average 66/100. The gap is driven primarily by auth support (vendors are more likely to implement HTTP transport and OAuth) and maintenance trust.

Grade Distribution

A
10
10 servers
B
27
27 servers
C
39
39 servers
D
15
15 servers
F
2
2 servers

Category-by-Category Analysis

Authentication & Identity

7.7 / 25 avg (31%)

Maintenance & Trust

3.2 / 5 avg (64%)

Tool Schema Quality

18.1 / 25 avg (72%)

Data Exposure

7.2 / 10 avg (72%)

LLM Safety

12.4 / 15 avg (83%)

Permission Granularity

18.6 / 20 avg (93%)

Recommendations for Server Maintainers

Add explicit JSON schemas

Define types, required fields, and constraints (maxLength, enum, pattern) for every tool parameter. This is the single highest-impact improvement most servers can make.

Separate read and write tools

Split combined read/write operations into distinct tools so that platforms can grant read-only access. This enables least-privilege deployment.

Support per-user authentication

Implement OAuth 2.0 or support per-request token parameters so that actions can be attributed to individual users in upstream audit logs.

Write specific tool descriptions

Each tool description should state exactly what data it accesses, what it modifies, and any scope boundaries. LLMs use these descriptions to make tool selection decisions.

Deploy MCP servers with enterprise controls

CompleteFlow wraps MCP servers with per-user authentication, permission scoping, and audit logging, compensating for the gaps identified in this report.

Learn about CompleteFlow