{"id":3218,"date":"2025-05-16T18:37:40","date_gmt":"2025-05-16T18:37:40","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3218"},"modified":"2025-05-16T18:37:40","modified_gmt":"2025-05-16T18:37:40","slug":"is-it-secure-to-use-an-mcp-server","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3218","title":{"rendered":"Is it secure to use an MCP server?"},"content":{"rendered":"

The Model Context Protocol (MCP) is a convenient open protocol for linking large-scale language models (LLMs) with external data sources and tools. However, since anyone can create an MCP server and publish it on GitHub, there is a possibility that it may contain malicious code. It is at your own risk if you embed vulnerabilities in your homemade MCP server, but how safe can you actually be when using a public MCP server via a marketplace? This article explains the current state of the MCP server marketplace and some points to note when using it.<\/p>\n

<\/a>1.1. TL;DR<\/h2>\n

The premise is that \u201csomeone is guaranteeing something, so use it at your own risk.\u201d Among them, the following two are considered to be trustworthy to a certain extent. The rest are provided without any official guarantee.<\/p>\n

<\/a>Those registered under\u00a0servers\/src in modelcontextprotocol org<\/a><\/p>\n

When the MCP server connects to the official repository of the service. Example:\u00a0tavily\/mcp-server<\/a>\u00a0provided by\u00a0tavily<\/a><\/a><\/p>\n

<\/a>1.2 Reasons<\/h2>\n

The official MCP GitHub repository<\/a>\u00a0is maintained by Anthropic and contains servers implemented by Anthropic itself as well as community contributed servers.<\/p>\n

Reference Servers: MCP servers implemented by Anthropic itself<\/p>\n

Third-Party Servers: MCP servers implemented by parties other than Anthropic<\/p>\n

Official Integrations: MCP servers implemented as official repositories for connected services<\/p>\n

Community Servers: MCP servers that can be provided by anyone who is not related to the service you are connecting to.<\/p>\n

Community Servers have not been explicitly tested and are used at your own risk<\/a>\u00a0.<\/p>\n

<\/a>I think the standards for trusting\u00a0Cline\u2019s MCP Marketplace should be almost the same as the official MCP (see Section 4.2 for details).<\/a><\/p>\n

<\/a>2. What is MCP\/MCP Server?<\/h1>\n

<\/a>\u201cI\u2019ve heard of MCP, but I haven\u2019t used it\u2026\u201d For those who have heard of it , I\u2019ll write a simple\u00a0explanation, from the basics to more advanced content<\/a>\u00a0, as there are already explanations in Japanese. For more information, please refer to\u00a0the official MCP doc .<\/a><\/p>\n

MCP (Model Context Protocol) is an open protocol for applications to provide context to large-scale language models (LLMs). It is like a \u201cUSB-C port\u201d for AI applications (Claude Desktop, Cline, etc.) and standardizes how LLMs can be integrated with external data sources and tools.<\/p>\n

\n
\n

Confused about the hype around MCP (Model Context Protocol)?<\/p>\n

Here\u2019s a quick visual <\/p>\n

MCP is like a universal \u201cUSB-C\u201d for AI agents, letting them plug into tools & data sources without juggling multiple APIs.<\/p>\n

I’ll break it down step by step pic.twitter.com\/q4k6pxhWtZ<\/a><\/p>\n

\u2014 Norah Sakal (@norahsakal) March 8, 2025<\/a><\/p><\/div>\n<\/div>\n

MCP servers are lightweight programs that expose certain functions (such as web searches, file operations, API integration, and database access) through the MCP protocol. By connecting to these servers, MCP clients allow AI agents to use external knowledge and functions. For example, there are MCP servers for connecting to PostgreSQL. The MCP server itself does not function as a database, but acts as an intermediary for communication with PostgreSQL. In that sense, it may be more accurate to think of it as a \u201cconnector\u201d rather than an MCP server. Anyone can create an MCP server and publish it on GitHub.<\/p>\n

<\/a>3. MCP server publication\/approval status<\/h1>\n

Similar to how Google Chrome has\u00a0a Chrome Web Store<\/a>\u00a0for extensions , Anthropic, the creators of MCP,\u00a0maintain an MCP server repository on GitHub (\u00a0https:\/\/github.com\/modelcontextprotocol\/servers ) that contains both Anthropic\u2019s implementations of MCP servers as well as a list of community-contributed MCP servers.<\/a><\/p>\n

In addition to the official Anthropic, Cline<\/a>\u00a0, a GitHub extension\u00a0, also\u00a0offers\u00a0Cline\u2019s MCP Marketplace<\/a>\u00a0. To register with this Cline\u2019s MCP Marketplace, you need to submit an issue to\u00a0the cline\/mcp-marketplace repository and have it reviewed. Example of a reviewed issue:\u00a0<\/a>https:\/\/github.com\/cline\/mcp-marketplace\/issues\/44<\/a><\/p>\n

<\/a>4. General security of MCP official repositories<\/h1>\n

It seems that the modelcontextprotocol<\/a>\u00a0organization is primarily run by Anthropic.<\/p>\n

The modelcontextprotocol<\/a>\u00a0organization on GitHub\u00a0has the following:<\/p>\n

The Model Context Protocol is an open source project run by Anthropic, PBC. and open to contributions from the entire community.<\/p>\n

It is stated as follows:<\/p>\n

Conversely, the anthropic.com site,\u00a0Introducing the Model Context Protocol<\/a>\u00a0, states:<\/p>\n

The Model Context Protocol\u00a0specification and SDKs<\/a>(omitted)Contribute to our open-source repositories of connectors and implementations<\/p>\n

This statement indicates that this is an official Anthropic project.<\/p>\n

<\/a>4.1 modelcontextprotocol\/server repository<\/h2>\n

Under modelcontextprotocol there is a repository called\u00a0servers<\/a>\u00a0(hereinafter referred to as the official repository). This repository publishes the official implementation of the MCP server Anthropic and introduces other MCP servers.<\/p>\n

Regarding security,\u00a0the Security Policy<\/a>\u00a0states the following:<\/p>\n

The security of our systems and user data is Anthropic\u2019s top priority.<\/p>\n

Furthermore, Anthropic, the developer of MCP, has obtained the following certifications, although it is unclear to what extent these have been applied to the development of MCP.<\/p>\n

SOC 2 Type I<\/p>\n

HIPAA<\/p>\n

SOC 2 Type II<\/p>\n

ISO 27001:2022<\/p>\n

ISO\/IEC 42001:2023<\/p>\n

Reference:\u00a0https:\/\/trust.anthropic.com\/<\/a><\/p>\n

<\/a>4.2 How much can I trust it?<\/h2>\n

I think you can trust the Reference Servers<\/a>\u00a0section to a certain extent, because\u00a0the sources it references are under\u00a0the src directory of the modelcontextprotocol\/servers repository , which is the official MCP repository.<\/a><\/p>\n

I think you can trust the Official Integrations<\/a>\u00a0section to a certain extent. (Note that Community Servers are not included.) For example,\u00a0the MCP server for JetBrains is created under\u00a0<\/a>the JetBrains<\/a>\u00a0organization. If there\u00a0is a security incident on this MCP server, JetBrains will also be criticized, which will result in Jetbrains losing credibility and its business performance, so it is believed that they will make an effort to implement a secure MCP server.<\/p>\n

Community Servers<\/a>\u00a0are also listed in README.md<\/p>\n

Note: Community servers are untested and should be used at your own risk. They are not affiliated with or endorsed by Anthropic.<\/p>\n

Summary<\/p>\n

Please note: Community servers are untested, use at your own risk, and are not affiliated with or endorsed by Anthropic.<\/p>\n

So, the reliability is considered to be low. As stated, it is best to use it at your own risk.<\/p>\n

<\/a>4.3. Specific repository operations<\/h2>\n

This is a bit of a geeky section, so you can skip it. It\u2019s about reliable GitHub accounts and the people who are doing the reviews.<\/p>\n

<\/a>4.3.1. The process of implementing an MCP server under the src directory of the official repository<\/h2>\n

To add it to the official MCP server under the src directory of modelcontextprotocol\/servers<\/a>\u00a0, you need to submit a pull request and have it approved, just like other OSS.<\/p>\n

As of March 26, 2025,\u00a0https:\/\/github.com\/modelcontextprotocol\/servers\/pull\/620<\/a>\u00a0is in the state shown below (Review Required image), so it is likely that\u00a0a Team<\/a>\u00a0has been defined that combines GitHub accounts registered in\u00a0People<\/a>\u00a0and GitHub accounts approved by Anthropic using the\u00a0protected branch<\/a>\u00a0function (\u203b).<\/a><\/a><\/p>\n

As a first example, the official implementation of Anthropic PostgreSQL\u00a0is included in\u00a0the initial commit<\/a>\u00a0and was created by jspahrsummers, who\u00a0is<\/a>\u00a0currently registered in\u00a0the People section of the official MCP organization as of 2025\/03\/26.<\/a><\/p>\n

To take a second example,\u00a0https:\/\/github.com\/modelcontextprotocol\/servers\/pull\/413\/<\/a>\u00a0is a Redis MCP server implementation by Anthropic, judging from the directory where the source code was added. The person who approved the pull request is\u00a0jerome3o-anthropic<\/a>\u00a0. As of 2025\/03\/26,\u00a0he is not<\/strong>\u00a0registered in\u00a0People<\/a>\u00a0! The account name seems to be related to anthropic, so he may have been registered in People as of\u00a02025\/2\/7 when he approved it<\/a>\u00a0. As noted in (\u203b), it is not strictly clear whether he is a member of Anthropic. Judging from the fact that this person can merge the pull request he approved into the main branch, I think he is probably the maintainer of Anthropic.<\/strong><\/a><\/p>\n

(\u203b)This is just a guess, as the Team that brings together the GitHub accounts associated with Anthropic employees has not been made public.<\/p>\n

<\/a>4.3.2. Official Integrations MCP Servers are added to the official README.md<\/h2>\n

The README.md file will be added once\u00a0the modelcontextprotocol\/servers pull request<\/a>\u00a0is approved.<\/p>\n

Prior to this, the referenced repository must implement an MCP server.<\/p>\n

Example: JetBrains<\/p>\n

Referenced MCP server:\u00a0https:\/\/github.com\/JetBrains\/mcp-jetbrains<\/a><\/p>\n

Pull Request for README.md:\u00a0https:\/\/github.com\/modelcontextprotocol\/servers\/pull\/355<\/a><\/p>\n

A pull request was created in the official repository on\u00a02024\/12\/16<\/a>\u00a0.<\/p>\n

The date of approval was December 17, 2024<\/a>\u00a0, so<\/p>\n

The MCP server that appears to have been reviewed is in\u00a039041cc<\/a>\u00a0condition.<\/p>\n

You can see that development continues after 2024\/12\/17.\u00a0See\u00a0the commit history .<\/a><\/p>\n

It is unclear whether the official MCP Server side continues to check\u00a0JetBrains\/mcp-jetbrains<\/a>\u00a0. Therefore, it is possible that the repository of the MCP server referenced after approval could be hijacked or malicious code could be embedded. However, if that were to happen, JetBrains\u2019 credibility would also be damaged, which would lead to disadvantages for JetBrains, so this can be interpreted as Anthropic trusting that JetBrains continues to be vigilant about security.<\/p>\n

<\/a>5. Cline\u2019s official MCP server marketplace<\/h1>\n

cline is\u00a0creating its own marketplace of MCP servers for direct use by cline in\u00a0the Cline MCP Marketplace repository .<\/a><\/p>\n

What is the MCP Marketplace?The MCP Marketplace is a curated collection of MCP servers that makes discovery and installation easy. With the marketplace, you can:<\/p>\n

Browse official and community-made MCP serversSearch by name, category, tags, and other metadataInstall MCP servers with one click, triggering Cline to autonomously handle cloning, setup, and configuration.<\/p>\n

Summary<\/p>\n

What is MCP Marketplace?MCP Marketplace is a curated collection of MCP servers that are easy to discover and install. With the Marketplace you can:<\/p>\n

Browse official and community-made MCP serversSearch by name, category, tags, and other metadataInstall your MCP server with one click and trigger Cline to handle cloning, setup, and configuration automatically.<\/p>\n

Here,\u00a0official and community-made MCP serversthe means<\/p>\n

Official Anthropic MCP server. In terms of the names mentioned above,\u00a0 Reference Servers<\/a><\/p>\n

Official Integrations<\/a>\u00a0MCP Server<\/p>\n

Community Servers<\/a>\u00a0MCP Servers<\/p>\n

MCP servers that clients have approved in their repository issues<\/a><\/p>\n

I think so. Here is my personal opinion on the credibility:<\/p>\n

I think it’s: 1 > 2 >> 4 >>> (an unbridgeable gap) >>> 3 in terms of trustworthiness.
\n\u3010Trustworthy\u3011 \u2192 \u3010Untrustworthy\u3011<\/p>\n

The reason is that to register for this marketplace, you need to create a new issue in your GitHub repository and have it approved.<\/p>\n

Regarding 1, I think it is fair to trust it to a certain extent for the same reasons stated in Section 4.2.<\/p>\n

Regarding 2., I think it is fair to trust it to a certain extent for the same reasons stated in Section 4.2.<\/p>\n

As stated in Section 4.2, 3. is provided without warranty and is at your own risk.<\/p>\n

Regarding 4., the maintainers of cline have reviewed and added it, so I think it can be trusted to a certain extent. However, it is considered less trustworthy than Anthropic.
This is because cline is OSS, and although it is a bit misleading to call it a development company,\u00a0the developer of cline<\/a>\u00a0has not received as much security-related approval as Anthropic.<\/p>\n

<\/a>5.1 cline\u2019s MCP Marketplace registration process<\/h3>\n

Like 4.3, this section is aimed at enthusiasts, so you can skip it if you like.<\/p>\n

Although the maintainer of the Cline MCP marketplace has not been specified,\u00a0I think it is safe to say that\u00a0pashpashpash<\/a>
is the maintainer of the Cline repository. Reason<\/p>\n

As of 2025\/03\/26, there are no\u00a0people<\/a>\u00a0in cline\u2019s organization !<\/p>\n

<\/a>The author of\u00a0the initial commit<\/a>\u00a0of\u00a0mcp-marketplace is\u00a0<\/a>pashpashpash<\/a>\u00a0.<\/p>\n

MCP servers registered in the cline MCP Marketplace are<\/p>\n

<\/a>The MCP servers registered in\u00a0modelcontextprotocol\/servers are reflected sequentially.<\/a><\/p>\n

Reflecting what was approved in the issue of\u00a0cline\u2019s\u00a0mcp-marketplace<\/a><\/p>\n

It seems that they are.<\/p>\n

Regarding the former, as of 2025\/03\/26,\u00a0https:\/\/github.com\/oceanbase\/mcp-oceanbase\u00a0<\/a>is registered<\/a>\u00a0in modelcontextprotocol\/servers\u00a0, but is not registered in cline\u2019s MCP marketplace.<\/p>\n

Regarding the latter,\u00a0graphlit-mcp-server<\/a>\u00a0was registered in\u00a0#44<\/a>\u00a0, which is not registered in modelcontextprotocol\/servers as of 2025\/03\/25.<\/p>\n

<\/a>5. Summary<\/h1>\n

The introduction of an MCP server is essentially at your own risk. In terms of security, the disadvantages of releasing or approving a risky MCP server are for Anthropic, the destination of that MCP server, and marketplace creators such as cline.<\/p>\n

<\/a>MCP servers under\u00a0the src directory of the modelcontextprotocol\/servers repository<\/a><\/p>\n

An MCP server implemented by the official organization of the service to which the MCP server is connected<\/p>\n

If you are using cline, please\u00a0refer to the closed issues in cline\/mcp-marketplace<\/a>\u00a0for MCP servers.<\/p>\n

I think you can trust it to a certain extent.<\/p>\n

Anything else is at your own risk, so I think it\u2019s fine to read the source and have someone look up the relevant repository using DeepResearch or similar.<\/p>","protected":false},"excerpt":{"rendered":"

The Model Context Protocol (MCP) is a convenient open protocol for linking large-scale language models (LLMs) with external data sources and tools. However, since anyone can create an MCP server and publish it on GitHub, there is a possibility that it may contain malicious code. It is at your own risk if you embed vulnerabilities […]<\/p>\n","protected":false},"author":0,"featured_media":3219,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3218","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3218"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3218"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3218\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3219"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}