12 findings in Anthropic's reference MCP servers

Every time a new protocol gets traction, the first batch of reference implementations becomes a de facto template. People copy them, fork them, and ship them. So a scanner's first job is to point it at the templates and see what's there.

The short version

Across the reference MCP servers shipped in the official repo, decoy-scan reported 12 findings — 3 critical, 5 high, 4 medium. None are catastrophic, most are the kind of thing a security review would flag on any server. Calling them out here isn't a drag; it's the point of publishing a scanner.

The three that matter most

1. Tool descriptions accepting unbounded string input without schema constraints. Several tools advertised parameters typed as string with no maxLength. When those strings flow into filesystem, shell, or HTTP paths, downstream servers get the full brunt of whatever the agent was convinced to send. Easy fix, widely missed.

2. Implicit authentication assumptions. A handful of servers trusted that "if MCP is reaching me, I'm inside the trusted zone." That's a 2005 network-perimeter assumption on a 2026 protocol where agents routinely cross trust boundaries mid-session.

3. Tool descriptions that advertise more capability than the tool delivers. This is the poisoned-tool-description class of bug and it's the most interesting one. An attacker who can edit the description (via prompt injection, supply chain, or just a PR) can steer an agent's behavior without touching the implementation.

The ecosystem implication

Reference servers are copy-paste targets. If a pattern is broken in the template, it's broken in a thousand forks by next quarter. That's why we scan the reference repo first — and why we re-scan every release.

The full SARIF output from this run is available here. Run the same scan locally in under a minute with npx decoy-scan.