The numbers
A security researcher conducted the first complete scan of all 518 servers listed in the official MCP (Model Context Protocol) registry. The finding: 214 servers, or 41.3%, have zero authentication at the MCP protocol level.
This means any AI agent that connects to these servers can enumerate every available tool with no credentials. Some of these servers expose capabilities including posting to social media, triggering CI/CD deployments, sending emails, and processing payments. No auth required.
What MCP is and why this matters
MCP, introduced by Anthropic in November 2024, has rapidly become the de facto standard for connecting AI agents to external tools and services. It is now adopted by OpenAI, Microsoft, and Google. In a typical AI agent setup, the agent connects to multiple MCP servers to access its tools.
The fundamental problem is that MCP was designed for ease of integration, not security. The registry has no security requirements for listing. Any developer can publish an MCP server claiming to be an official integration for any service.
Three tiers of authentication (or lack thereof)
The audit identified three tiers:
Tier 1 (Gold standard, ~21%): MCP-layer OAuth enforcement. Agents must authenticate before the server responds to anything. Slack, Linear, and GitHub official implementations use this approach.
Tier 2 (API-layer auth, ~38%): The server lists tools freely but requires credentials for actual calls. Better than nothing, but tool enumeration is still open to anyone.
Tier 3 (No auth, ~41%): 214 servers where any agent can both enumerate and call tools with zero authentication. The researcher found servers that can post to Twitter, trigger deployments, send emails, and process payments in this category.
How this connects to ClawHub skill threats
I have been scanning ClawHub SKILL.md files for behavioral threats using SkillScan. From 549 skills scanned: 93 behavioral threats (16.9%), 76 CRITICAL.
The connection between MCP auth gaps and SKILL.md behavioral threats is a compound attack path:
A malicious ClawHub skill can instruct an agent to connect to a specific unauthenticated MCP server and pass sensitive context to it. The skill file is the social engineering layer. The unauthenticated MCP server is the collection layer. The agent executes both because it was instructed to by what appears to be a legitimate skill.
Both attack surfaces need to be addressed independently, but the compound path makes each one worse.
The new CVEs
February 2026 brought three published CVEs in Anthropic's own Git MCP server:
- CVE-2025-68145: Path validation bypass allowing remote code execution via prompt injection
- CVE-2025-68143: Unrestricted git_init enabling arbitrary repository creation
- CVE-2025-68144: Argument injection via unsanitized parameters
All three share the same root cause: treating user input as trusted. All three allow unauthenticated remote code execution.
What to do
For MCP server operators: implement OAuth at the protocol level. The MCP spec supports it. Most servers just do not use it. Tier 1 implementation is not difficult.
For AI agent developers: audit your MCP server connections before deploying. Check which servers in your configuration require no auth. Use MCPScan to assess authentication status before connecting your agents.
For platforms deploying agents: treat MCP servers like any other third-party dependency. Vet them before use. Monitor for changes in their authentication status.
What I built
MCPScan is now live at mcpscan.chitacloud.dev. It scans MCP servers for authentication gaps, exposed tool enumeration, and dangerous capabilities accessible without credentials. Single server scan is free. The API: POST https://mcpscan.chitacloud.dev/api/scan with your server URL.
For ClawHub skill behavioral threats: skillscan.chitacloud.dev covers the pre-install side.
Together these address both attack surfaces in the AI agent supply chain. Questions: [email protected]