Security Audit Finds Anthropic's MCP Reference Servers Vulnerable, Introduces Hallucination-Based Vulnerabilities
MCP Server Security Audit Results
A comprehensive security audit of 100 Model Context Protocol (MCP) server packages revealed significant security issues. The audit found that 71% of servers scored an F, with zero servers receiving an A grade. This includes Anthropic's own reference implementations that are often considered the "Gold Standard."
Hallucination-Based Vulnerabilities (HBVs)
The audit identified a new class of vulnerability called Hallucination-Based Vulnerabilities. When MCP tools have vague descriptions (like "manages files"), Claude is forced to guess parameters. This creates both security vulnerabilities and token waste as Claude enters "reasoning loops" trying to determine tool boundaries, burning through context windows and message limits.
Specific Findings
- The Reference Trap: Official servers for GitHub and filesystems—the ones Anthropic recommends—scored 0/100 on baseline security tests. These servers allow "unbounded" inputs, meaning prompted agents can be tricked into deleting or exfiltrating data due to lack of internal safety guardrails.
- RCE-Class Risks: The audit identified structural precursors to RCE vulnerabilities similar to CVE-2025-68143 that previously affected the ecosystem.
- Authentication Limitations: Even with OAuth configured, poorly defined tools remain vulnerable. Sophisticated prompts can turn Claude into a tool for accidental or intentional data destruction.
Protection Recommendations
- Audit your servers: Don't trust servers just because they're in Anthropic's official repository.
- Harden your manifests: Ensure every tool has
minLength,maxLength, and strictpatternregex in its JSON schema. - Run the Scanner: Use the open-source audit tool:
npx @agentsid/scanner
Key Takeaway
Agentic setups are likely "vulnerable by default" because official templates prioritize flexibility over safety. Properly hardening tool definitions can both protect data and reduce token consumption by preventing unnecessary reasoning loops.
The full white paper and methodology are available at: https://github.com/stevenkozeniesky02/agentsid-scanner/blob/master/docs/state-of-agent-security-2026.md
📖 Read the full source: r/ClaudeAI
👀 See Also
Claude Code Continues Logging Sessions After Revoke, User Reports 2-Week Support Silence
A Claude Code user reports that session logs continued appearing after revoking access, with Anthropic support unresponsive for two weeks. Logs included scopes like user:file_upload, user:ccr_inference, and user:sessions:claude_code.
Coldkey: Post-Quantum Age Key Generation and Paper Backup Tool
Coldkey generates post-quantum age keys (ML-KEM-768 + X25519) and produces single-page printable HTML backups with QR codes for offline storage.
AppLovin Mediation Cipher Broken: Device Fingerprinting Bypasses ATT
Reverse-engineering revealed that AppLovin's custom cipher uses a constant salt + SDK key, a SplitMix64 PRNG, and no authentication. Decrypted requests carry ~50 device fields (hardware model, screen size, locale, boot time, etc.) even when ATT is denied, enabling deterministic re-identification across apps.
Agent Passport: Identity Verification for AI Agents
Agent Passport is an open-source identity verification layer using Ed25519 authentication and JWT tokens for AI agents, addressing the problem of agent impersonation.