← Back to Scanner

@modelcontextprotocol/servers Security Audit Report

🔭 Continuously monitored by ClawSecure Watchtower
Source:
SHA-256:

@modelcontextprotocol/servers is an AI agent skill, created by Model Context Protocol a Series of LF Projects, LLC. and published at modelcontextprotocol/servers. ClawSecure audited @modelcontextprotocol/servers across 71 files through the 3-Layer Audit Protocol covering all ten OWASP ASI Top 10 categories, assigning a security score of 70/100 (Medium Risk). The 6 findings concentrate in Supply Chain, Permissions Manifest and ReDoS, including Missing config.json - agent may not be properly configured and ReDoS vulnerability: Nested quantifiers (potential catastrophic.... None were rated high or critical severity.

Is @modelcontextprotocol/servers safe?

ClawSecure audited @modelcontextprotocol/servers and assigned a security score of 70/100 (Medium Risk), identifying 6 findings across Supply Chain and Permissions Manifest. Review the findings below before installing.

What did ClawSecure find in @modelcontextprotocol/servers?

ClawSecure identified 6 findings in @modelcontextprotocol/servers, concentrated in Supply Chain, Permissions Manifest and ReDoS. The most severe include Missing config.json - agent may not be properly configured and ReDoS vulnerability: Nested quantifiers (potential catastrophic....

How was @modelcontextprotocol/servers audited?

ClawSecure ran @modelcontextprotocol/servers through its 3-Layer Audit Protocol with full OWASP ASI Top 10 coverage, scanning 71 files from modelcontextprotocol/servers.

What does a score of 70 mean?

ClawSecure assigned @modelcontextprotocol/servers a security score of 70/100, placing it in the Medium Risk range. This reflects 6 findings led by Supply Chain that warrant review before production use. ClawSecure derives this score with a weighted deduction model (critical -20, high -10, medium -5, low -2 from a base of 100).

Audit Findings for @modelcontextprotocol/servers

ClawSecure detected 6 security findings in @modelcontextprotocol/servers, spanning Supply Chain, Permissions Manifest and ReDoS.

Each finding is expandable in the interactive list below.

3-Layer Audit Protocol

Security Recommendations for @modelcontextprotocol/servers

Update and pin dependencies
@modelcontextprotocol/servers depends on packages with supply-chain risk. Pin every dependency to an exact version, update packages with known CVEs to patched releases, and re-audit after each change. ClawSecure checks every dependency against known CVE databases.
Add a config.json permissions manifest
A config.json file declares what an agent component can access: file system, network, shell execution and more. Without it, users have no visibility into what the component can do before installing. This is the single most impactful security improvement for any AI agent skill.
Fix ReDoS-prone patterns
@modelcontextprotocol/servers contains regular expressions vulnerable to catastrophic backtracking (ReDoS). Replace vulnerable patterns, bound input length, and prefer linear-time matching so a crafted input cannot hang the agent.

Related Security Research

AI Agent Supply Chain Attacks: How Dependencies Become WeaponsBeyond Static Scans: Why ClawSecure Verifies Agentic Intent

Related AI Agent Security Audits

19af8eafb16b72f6Score 75/100clawdhubScore 75/10019af8eafb16b72f6Score 75/1007caf5d769dee89c3Score 55/10025937fcc251c4ccbScore 85/100

Scanned on June 4, 2026. @modelcontextprotocol/servers is one of thousands of agents audited by ClawSecure from the community-curated awesome-openclaw-skills list and the openclaw/skills repository.

Start Your Free Scan