MCP Package Security Scan Reveals Widespread Destructive Capabilities Without Confirmation

A security researcher scanned 2,386 MCP (Model Context Protocol) packages on npm and found significant security risks in how AI agents interact with external tools. MCP packages enable Claude Code to connect to external tools, and when installed, they gain full system access including shell, files, network, and environment variables.

Key Findings from the Scan

The most concerning discovery: 63.5% of packages expose destructive operations without requiring human confirmation. These operations include deleting files, dropping databases, and deploying code. If someone injects a malicious prompt into a tool response, the AI agent will execute these destructive actions without asking for permission.

Additional Security Issues

• 49% of packages had security issues overall
• 402 critical severity vulnerabilities
• 240 high severity vulnerabilities
• 122 packages auto-execute code on npm install
• Real-world cases included SSH key theft, Unicode prompt injection, and delayed backdoors

The researcher notes that not all findings represent malware—most are "dangerous capability without guardrails." However, 63.5% of packages are "one prompt injection away from real damage."

Detection and Response

The scanning tool achieved 99.4% precision with 39.9% recall—meaning near-zero false alarms but not catching everything yet. Malicious patterns have been converted to detection rules, and responsible disclosure was made to affected parties.

The researcher built ATR (Agent Threat Rules) as an open standard for detecting these threats—61 detection rules released under MIT license, not locked to any specific tool. Anyone can use these rules to scan MCP packages.

You can scan any skill without installing anything at panguard.ai—paste a GitHub URL and get a report in 3 seconds. The full research report is available at panguard.ai/research/mcp-ecosystem-scan.