SECURITY BRIEF
MCP security findings from the Trust Index
The security story for MCP is not just whether a server initializes. It is whether buyers can prove freshness, auth scope, tool risk, publisher ownership, and policy enforcement before agents use the server.
Search • Sprawl Radar • TrustOps • Gateway • Ledger • Mandates • Hosting • Docs Compiler • Demo • Trust Index • GitHub Action • Plans • Shortlists • Rankings • Compare • Badges • ChatGPT compatible • Claude compatible • Healthcare • Digests • RSS • RSS XML • Backfill • MCP API
Findings
Freshness is security evidence
Stale validation evidence should suppress production trust, especially for servers with write or exec-capable tools.
Client-ready is not production-approved
A server can be compatible with ChatGPT or Claude and still require policy gates before company use.
Authenticated validation is the premium proof
Public metadata cannot prove scoped OAuth behavior, insufficient-scope handling, or write-action confirmation.
Badges create accountability
Publisher claims, trust badges, and weekly drift alerts make server ownership visible.
Use the evidence
Use the Trust Index to find candidates, then move to the server report, policy export, Gateway decision, Ledger evidence, and alert subscription before production approval.