Hey everyone, I built a security scanner for MCP servers ( mcpsafe.io ) and ran it across the public catalog I'd indexed from npm, PyPI, and GitHub — about 5,000 active servers, 2,634 of which produced at least one finding. The results were rougher than I expected. What's broken, by % of servers affected: 51% — unpinned GitHub Actions ( uses: actions/checkout@v4 instead of a SHA). Tag rewrites are silent. 45% — HTTP / socket / subprocess calls without a timeout. Hang-forever territory. 41% — overbroad MCP tool input schemas ( z.string() , bare str , {"type":"string"} on fields named command , query , url ). The exact shape that lets prompt injection through. 37% — except: pass swallowing errors with no logging. 28% — Dockerfiles with no USER directive, so the container runs as root. 22% — npm/pip install-time hooks ( postinstall , custom cmdclass ). Code execution before you ever import anything. 19% — server binds to 0.0.0.0 . DNS rebinding is real.…