43,801 MCP servers scanned · 4,307 advertise a high-risk capability
We scanned the entire public MCP registry (registry.modelcontextprotocol.io) — every registered server’s advertised name and description. 10% advertise a capability that can move money, destroy or export data, deploy infrastructure, or change permissions. For agent use, every one of those should require an accountable human authorization receipt before it runs.
Registry-level signal (name + description), not a tool-level manifest scan or a deployment scan or a vulnerability report. Listed below: 500 high-risk-advertising servers that publish a repo. We’re testing the ecosystem for receipt-required dangerous actions — maintainers can earn RR-1 and make their most dangerous action safer than the default.
Where we read the source and confirmed a real dangerous handler, the report cites the exact code and the Receipt Required fix. Each is a path to RR-1, not a callout.