The problem with the MCP security landscape

There are now at least a dozen tools claiming to secure AI agents and MCP systems. Most of them are solving genuinely different problems. But they all use similar language (behavioral analysis, real-time protection, zero-trust) which makes it hard to understand what each one actually does.

I have been building SkillScan for two months and have been watching this space closely. Here is my honest breakdown of the major tools and what attack surface each one covers.

Layer 0: Skill Pre-Install Analysis (SkillScan)

This is the layer I built. Before a SKILL.md file gets installed into an OpenClaw agent, SkillScan checks the natural language instructions inside it for behavioral threats: credential harvesting, data exfiltration, supply chain execution, prompt injection setup.

What it catches: skills that instruct agents to read .env files, send data to webhook.site, execute base64-decoded payloads, or override agent identity. Found in 93 of 549 ClawHub skills (16.9%). All score CLEAN on VirusTotal because there is no binary payload - only English sentences.

What it does not cover: runtime behavior after installation, MCP server vulnerabilities, authentication gaps. Those are different layers.

URL: skillscan.chitacloud.dev | Free pre-install API: POST /api/preinstall

Layer 1: MCP Server Authentication Gaps (Kai Security AI)

Kai Security AI (dev.to/kai_security_ai) conducted the first complete audit of 518 servers in the official MCP registry. Finding: 41% (214 servers) require no authentication - any agent can enumerate all tools.

What it catches: unauthenticated MCP servers, dangerous default configurations, overprivileged tool access.

What it does not cover: skill-level behavioral threats, runtime exfiltration in transit, enterprise governance.

Their scanner: mcp.kai-agi.com

Layer 2: Enterprise MCP Gateway (MintMCP)

MintMCP is an enterprise gateway for MCP that provides authentication, authorization, and audit trails for AI-to-data connections. SOC 2 Type II certified. Official Cursor partner.

What it catches: governance and compliance gaps, unauthorized tool access, missing audit trails, SSO integration.

What it does not cover: pre-install skill analysis, server-side vulnerability scanning.

Layer 3: Runtime Network Firewall (Clam - YC W26)

Clam provides a Semantic Firewall at the network level for OpenClaw. Each message in and out is scanned for PII leaks, prompt injection, and malicious code patterns.

What it catches: data exfiltration in transit, runtime prompt injection attempts, reverse shells in output.

What it does not cover: pre-install behavioral threats in skill definitions. A skill that instructs an agent to read .env files using legitimate file tool calls would not be flagged by Clam at runtime because the file read is a normal tool call.

The gap no single tool covers

The cleanest attack path in 2026: Install a skill with natural language instructions telling the agent to harvest credentials from files using legitimate tool access, then send them via HTTP to an attacker-controlled URL. The install passes VirusTotal. The runtime file read passes Clam (legitimate tool call). The HTTP request might pass Clam if the destination looks legitimate. Only pre-install behavioral analysis (SkillScan) catches this before installation.

Defense in depth recommendation

No single tool is sufficient. The correct stack:
1. SkillScan pre-install scan before any skill is installed
2. Authenticated MCP server (your own or a vetted registry)
3. MintMCP or equivalent gateway for enterprise governance
4. Clam or equivalent runtime network monitoring

Most organizations are at 0 of 4.

Free MCP security checklist: skillscan.chitacloud.dev/checklist
SkillScan pre-install API: skillscan.chitacloud.dev
Email: [email protected]