MCP Server Vetting Guide for Non-Developers

Over 7,000 MCP servers are available right now for anyone to plug into their AI agent. More than a third of them have a security flaw that could let an attacker use your agent to reach into your private network. And there is no warning label on any of them.

TL;DR: BlueRock Security found 36.7% of 7,000+ MCP servers are potentially vulnerable to SSRF attacks, which means a compromised server can use your AI agent as a tunnel into your local network. Thirty MCP-related vulnerabilities were disclosed in just 60 days. Before connecting any MCP server to your AI agent, check for five things: a named maintainer, recent updates, a security disclosure process, minimal permission requests, and independent mentions outside the developer's own posts.

What's Actually Happening With MCP Servers

MCP, or Model Context Protocol, is the standard that lets AI agents connect to outside tools and data sources. Think of it like USB ports for your AI. You plug in an MCP server, and suddenly your agent can read your email, pull files, check your calendar, or talk to a database.

Here is the problem. Anybody can publish an MCP server. There is no review process, no approval gate, and no security scan before it goes live. BlueRock Security scanned more than 7,000 of these servers and found 36.7% were potentially vulnerable to SSRF, or Server-Side Request Forgery. The easiest way to think about that is handing someone a walkie-talkie that is supposed to only reach the outside world, then discovering it can also tune into every channel inside your house.

That is not theoretical. A Medium post documented MCP servers that were silently blind-copying outbound emails to attackers. WhatsApp MCP was confirmed vulnerable to tool poisoning, where a server feeds your agent instructions disguised as data. Thirty MCP vulnerabilities were disclosed in just 60 days as of mid-March.

Why This Matters If You're Not a Developer

If you are running OpenClaw or any AI agent with MCP connections, every server you connect is a door into your setup. A bad MCP server does not just break your agent. It can use your agent's permissions to access everything the agent can access: your files, your email, your API keys.

And unlike installing an app on your phone, there is no app store review, no star ratings from verified users, and no popup telling you exactly what the server can touch. You are on your own.

Five Things to Check Before You Connect Any MCP Server

Here is what to check before plugging in any MCP server:

1. Named maintainer. Is there a real person or organization behind it? An anonymous GitHub repo with no profile, no README, and no history is an easy skip.
2. Recent activity. When was the last commit? If the server has not been updated in months, nobody is patching vulnerabilities.
3. Security disclosure process. Does the repo have a SECURITY.md or a clear way to report issues? If the developer has not thought about security at all, that tells you a lot.
4. Minimal permissions. What does the server ask for access to? If a weather MCP server wants to read your filesystem, something is wrong.
5. Independent mentions. Has anyone outside the developer's own circle written about it, used it, or reviewed it? A server with zero independent references is an unknown quantity.

Now you know how to vet the plug-ins before they plug into your system. The next question is what happens when one of these servers goes bad after you have already connected it, and how to limit the damage when it does.