We ran a live MCP handshake against 995 servers. Only 39 are verified

ruzgarzere1 pts0 comments

We Ran a Live Handshake Against 995 MCP Servers. Only 39 Are Verified. — MCPExplorer<br>blog / state-of-mcp-security<br>Data report · Trust<br>We Ran a Live Handshake Against 995 MCP Servers. Only 39 Are Verified.<br>MCP servers give agents tools, and tools act on real accounts. We wanted to know how many of the servers in our index actually work, and how many we would connect to an agent ourselves. On July 4 we ran a live MCP handshake against all 995 of them, extracted the tool lists of the ones that answered, and scored the results. 277 answered. 39 met our bar.<br>Note: these figures are a snapshot of the July 4, 2026 scan. The index has since grown past 1,600 servers, with 700+ passing a live handshake. The reports page tracks the live numbers.<br>995 servers, 277 answered<br>995 — indexed

277 — answered a live handshake

39 — MCPExplorer Verified

Of 995 indexed servers, 277 (28%) completed a live tools/list handshake. For the remaining 72% nobody — including us — has connected and confirmed what they expose. Some are dead, some never ran, some are repos that describe a server rather than implement one. Whatever the reason, a server you can't inspect is a server you can't make claims about, in either direction.<br>What the reachable ones expose<br>Among servers whose tools we could read, 59% expose at least one tool that writes: it changes data, sends something, or deletes something. 67 servers expose a tool we classify as destructive. Across all 3,565 extracted tools , the split is 41% read-only, 26% write, 6% destructive, and 26% that our rules couldn't classify. We count unclassified as write until shown otherwise, because that's the conservative assumption when an agent is on the other end.<br>From 995 to 39<br>The other filters that remove servers from consideration:<br>467 have unknown provenance. We can't establish who ships them.<br>113 have had no commit in over a year.<br>175 score in the range we label “needs caution.”<br>After all of it, 39 servers — about 4% — pass a live handshake, have every tool extracted and risk-labeled, and score 60 or higher on a trust model whose factors are published (provenance, verification, maintenance, adoption). That set is what we call MCPExplorer Verified .<br>Things we found in the tool surface<br>Numbers below are from queries against the live index this morning (July 7), which is larger than the July 4 scan set.<br>The median server exposes 7 tools . The largest exposes 622 (AdButler's hosted server — roughly one tool per API operation). An agent given that server gets 622 callable functions in one mount.<br>517 servers answer the handshake with a 401/403. An auth wall is good practice, but it also means nobody can independently confirm what's behind it — those listings are vendor claims until someone connects with credentials.<br>30 different servers expose a tool named exactly search. Mount a few of them at once and your agent is choosing between identically-named tools with different semantics. Tool-name collisions are going to be a real problem.<br>Destructive tool names sitting in the wild, verbatim: delete_instance, cancel_order, revoke_api_key, wipeLogs. None of them are wrong to exist. All of them are things you'd want to know about before an agent does.<br>Why we run the directory this way<br>Most directories index READMEs. That works for discovery, but a README can't tell you whether a server is alive, what its tools do, or who maintains it. We think the useful product is the filter rather than the list, so the handshake, extraction, labeling, and scoring run continuously, and the Verified set stays small because the bar doesn't move.<br>Method<br>Every server gets a real MCP tools/list handshake: remote servers over the network, local/stdio servers in a sandbox with no secrets, no host mounts, and memory/CPU/PID limits. Extracted tools are labeled read / write / destructive by deterministic rules. Trust is computed from named factors, and every server's page shows the arithmetic, so you can check our work: Apex · GitHub · Context7.<br>The report is also reproducible over the protocol it measures. Our own MCP server is free and needs no auth — add https://mcpexplorer.com/mcp to any MCP client and call get_ecosystem_stats to re-run today's numbers, or check_trust on any server in this post.<br>This report is a snapshot. The evergreen version — the six real risks and the vetting checklist we run — is in the MCP security guide.

Skip the pile. Start from Verified.<br>MCPExplorer connects to every server, extracts and risk-labels its tools, and scores its trust — so you install from the handful that earn Verified, not the 995 that don't.<br>See the verified servers →Explore the index

servers server handshake tools live verified

Related Articles