MCP servers are not browser extensions. When you install one, you are adding a process to your system that may have direct access to your filesystem, network stack, environment variables, and shell. It can read files, make outbound HTTP requests, and execute commands — all on behalf of your AI agent. The blast radius of a compromised or malicious MCP server is not a changed browser setting. It is exfiltrated credentials, backdoored infrastructure, or a silently hijacked AI workflow. Yet most developers install MCP servers the same way they install any open-source package: find it in a README, copy the install command, run it. No review. No audit. No second thought. We thought that was worth examining more closely. So we built MCPSafe — a free security scanner for MCP packages — and ran it against 448 packages sourced from npm, PyPI, GitHub, and Docker Hub. What we found was worse than we expected.…