MCP Package Security Scan Reveals Widespread Destructive Capabilities Without Confirmation

A security researcher scanned 2,386 MCP (Model Context Protocol) packages on npm and found significant security risks in how AI agents interact with external tools. MCP packages enable Claude Code to connect to external tools, and when installed, they gain full system access including shell, files, network, and environment variables.
Key Findings from the Scan
The most concerning discovery: 63.5% of packages expose destructive operations without requiring human confirmation. These operations include deleting files, dropping databases, and deploying code. If someone injects a malicious prompt into a tool response, the AI agent will execute these destructive actions without asking for permission.
Additional Security Issues
- 49% of packages had security issues overall
- 402 critical severity vulnerabilities
- 240 high severity vulnerabilities
- 122 packages auto-execute code on
npm install - Real-world cases included SSH key theft, Unicode prompt injection, and delayed backdoors
The researcher notes that not all findings represent malware—most are "dangerous capability without guardrails." However, 63.5% of packages are "one prompt injection away from real damage."
Detection and Response
The scanning tool achieved 99.4% precision with 39.9% recall—meaning near-zero false alarms but not catching everything yet. Malicious patterns have been converted to detection rules, and responsible disclosure was made to affected parties.
The researcher built ATR (Agent Threat Rules) as an open standard for detecting these threats—61 detection rules released under MIT license, not locked to any specific tool. Anyone can use these rules to scan MCP packages.
You can scan any skill without installing anything at panguard.ai—paste a GitHub URL and get a report in 3 seconds. The full research report is available at panguard.ai/research/mcp-ecosystem-scan.
📖 Read the full source: r/ClaudeAI
👀 See Also

Fil-C Makes setjmp/longjmp and ucontext Memory Safe
Fil-C implements setjmp/longjmp and ucontext APIs without stack corruption or dangling pointers, preventing common misuse that leads to crashes or exploits.

A2A Secure: How Developers Built Cryptographic Communication Between OpenClaw Agents
A new protocol enables OpenClaw agents to communicate securely using Ed25519 signatures without shared API keys.

OpenClaw Security Approach Using LLM Router and zrok Private Sharing
A developer shares their approach to running OpenClaw and an LLM router inside a VM+Kubernetes environment with a single command, addressing security concerns by injecting API keys at the router level and using zrok for private sharing instead of traditional messaging app tokens.

Blindfold: A Plugin That Prevents Claude Code from Reading Your .env Files
Blindfold is a new plugin that prevents Claude Code from accessing actual secret values in .env files by keeping them in the OS keychain and using placeholders like {{STRIPE_KEY}}, with hooks that block direct access attempts.