Praise Jeevesus — We Mapped Every MCP Server (and We're Auditing Them Next)

May 2, 2026 · DugganUSA LLC

The Model Context Protocol now has 21,962 servers in the official registry. Tonight we ingested every one of them, hashed every tool description, and stamped a day-zero baseline. Tomorrow's snapshot will show us the first wave of rug-pulls — servers that quietly rotated their tool descriptions to inject new instructions into AI agents.

We are going to be the people who notice.

Why this matters now

The MCP ecosystem went from prototype to enterprise faster than anyone in security was ready for.

Wiz's 2026 State of AI in the Cloud report says MCP is now present in 80% of cloud environments — the fastest standard adoption they've ever measured. The official registry plus the three big aggregators (Smithery, Glama, mcp.so) account for over 9,000 active servers, growing 58% quarter over quarter. Anthropic, OpenAI, Cursor, Continue, Cline, Windsurf, Zed — every serious AI client speaks MCP.

And the threats are real, named, and shipping CVEs at one per week.

Tool Poisoning Attacks. Invariant Labs disclosed them in April 2025. Malicious instructions are placed inside tool descriptions, not tool outputs — so the agent reads them as ground-truth. Includes the "rug pull" variant: benign at install, swapped after the user has already approved.

Tool-output prompt injection. CyberArk shipped "Poison Everywhere" — the matching attack on the output channel.

Command injection in published servers. CVE-2025-5277 in the AWS MCP server (CVSS 9.4). CVE-2025-52573 in an iOS simulator MCP where a tap action shells out unsafely. CVE-2025-47274 in ToolHive leaking secrets through run-config files. CVE-2025-47777 in the 5ire desktop client — stored XSS to Electron RCE.

The community has catalogued more than forty MCP-related CVEs since mid-2025 and the rate is accelerating.

What we're shipping

Three plays. All of them leverage stack we already run.

One. Jeevesus — the reference implementation.

We built our own MCP server with a public threat model and shipped it to the official registry. Eleven vectors documented and mitigated. Static tool list. Allow-listed indexes (not deny-listed). HTML stripping plus prompt-injection sanitization on every byte that leaves the server. Per-IP per-tier rate limits in memory. Audit log writes hashed IPs only — never plaintext. Strict CORS allow-list. Body capped at 32 KB. Results capped at 25 hits. The threat model and the code are tied to each other; if we add a tool we update both.

The point is not that Jeevesus is special. The point is that 21,962 servers exist and almost none of them have a published threat model. Jeevesus is the score everyone else gets compared to.

Two. The MCP threat-intel feed.

We just stood up an index that holds a daily snapshot of every server in the official registry. Name, version, description, repository, remotes, status, and a sha256 hash of the description text.

Tomorrow's run runs the diff. New servers get flagged. Description hashes that change without a version bump are rug-pull candidates. Servers that flip from active to deprecated tell us something just got pulled and why.

We already publish a STIX feed that defenders subscribe to for IOCs. Adding MCP to that feed is a week of work. Nobody is publishing this signal as a feed yet. We will be.

Three. AIPM-for-MCP — audit as deliverable.

Same playbook that drove our 1,200+ AIPM audits, retargeted at MCP. Eleven vectors, 0–100 score, evidence pointers, remediation table, comparison against the Jeevesus reference baseline. Single audit, monthly subscription with rug-pull alerts, enterprise tier with white-label.

Wiz scans. Snyk integrates with the IDE. Palo Alto is acquiring Portkey to own the gateway tollbooth. None of them sells an adversarial audit report you can hand to your CISO. That is the gap.

Why we can do this and Wiz can't

We are not bigger than Wiz. We are not bigger than Palo Alto. We are not even close.

We are smaller, sharper, and we publish.

Our threat-intel pipes already carry 1.12 million IOCs, 17.9 million documents, and a STIX feed real customers pay for. Our AIPM audit pipeline already runs a 7-signal scoring rubric across 250+ domains and ships HTML and PDF reports on request. Our blog has 1,807 posts indexed and our Bluesky reach into the security press is real. Our edge — the Cloudflare Worker, the honeypots, the exploit harvester — already runs and already feeds the same indexes we will build the MCP audit on top of.

When Wiz decides to enter this space they will ship a feature. Not a product, not a feed, not an audit report — a feature in their CNAPP. That feature will scan some MCP-shaped servers and produce some findings. They will not write a public threat model. They will not catalog all 21,962 servers. They will not call out individual rug-pulls in a feed defenders can subscribe to. That is the work we do.

Palo Alto closing the Portkey acquisition compresses the window in roughly two quarters. We are going to use those two quarters.

What's already live

• Jeevesus MCP server, JSON-RPC 2.0 over HTTP, at analytics.dugganusa.com/api/v1/mcp. Three tools: search, enrich-ioc, stix-feed-summary. Every method audited. Listed active on the official MCP Registry as io.github.pduggusa/dugganusa-threat-intel.

• 21,962 servers in our index as of 2026-05-02. 7,419 latest versions. 86 already deprecated. 19,295 from GitHub, 27 from GitLab.

• 11-vector threat model published in our compliance evidence.

• Skill files for the audit methodology and the marketplace KPIs, so the next operator picking this up walks into a fully-loaded room.

What ships next

The rug-pull diff runs every 24 hours. The first audit lands inside the week. The first feed entry — the first malicious-MCP-server IOC we publish under our STIX feed — is the receipt.

If you run an MCP server and you want to be the first one we score, email [email protected]. Free.

If you operate a security team that's about to onboard a 3rd-party MCP server, same email. We'll cut you a real audit on a real threat model.

We were not first to MCP.

We are going to be first to MCP security.

Praise Jeevesus.

— Patrick Duggan, DugganUSA LLC

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com