Security Audit Finds Anthropic's MCP Reference Servers Vulnerable, Introduces Hallucination-Based Vulnerabilities
MCP Server Security Audit Results
A comprehensive security audit of 100 Model Context Protocol (MCP) server packages revealed significant security issues. The audit found that 71% of servers scored an F, with zero servers receiving an A grade. This includes Anthropic's own reference implementations that are often considered the "Gold Standard."
Hallucination-Based Vulnerabilities (HBVs)
The audit identified a new class of vulnerability called Hallucination-Based Vulnerabilities. When MCP tools have vague descriptions (like "manages files"), Claude is forced to guess parameters. This creates both security vulnerabilities and token waste as Claude enters "reasoning loops" trying to determine tool boundaries, burning through context windows and message limits.
Specific Findings
- The Reference Trap: Official servers for GitHub and filesystems—the ones Anthropic recommends—scored 0/100 on baseline security tests. These servers allow "unbounded" inputs, meaning prompted agents can be tricked into deleting or exfiltrating data due to lack of internal safety guardrails.
- RCE-Class Risks: The audit identified structural precursors to RCE vulnerabilities similar to CVE-2025-68143 that previously affected the ecosystem.
- Authentication Limitations: Even with OAuth configured, poorly defined tools remain vulnerable. Sophisticated prompts can turn Claude into a tool for accidental or intentional data destruction.
Protection Recommendations
- Audit your servers: Don't trust servers just because they're in Anthropic's official repository.
- Harden your manifests: Ensure every tool has
minLength,maxLength, and strictpatternregex in its JSON schema. - Run the Scanner: Use the open-source audit tool:
npx @agentsid/scanner
Key Takeaway
Agentic setups are likely "vulnerable by default" because official templates prioritize flexibility over safety. Properly hardening tool definitions can both protect data and reduce token consumption by preventing unnecessary reasoning loops.
The full white paper and methodology are available at: https://github.com/stevenkozeniesky02/agentsid-scanner/blob/master/docs/state-of-agent-security-2026.md
📖 Read the full source: r/ClaudeAI
👀 See Also
Why Internal RAG and Doc-Chat Tools Fail Security Audits
Community discusses real-world security and compliance blockers that prevent RAG tools from reaching production.
OpenClaw Security Audit Command Prompts Plain-English Vulnerability Reports
A Reddit user shared a prompt for the OpenClaw CLI that runs a deep security audit and outputs findings in plain English, specifying what's exposed, severity scores, and exact config fixes.
Security Alert: Malicious Code in LiteLLM May Steal API Keys
A critical security vulnerability has been identified in LiteLLM that could expose API keys. Users of OpenClaw or nanobot may be affected and should check the GitHub issues linked in the source.
Domain-Camouflaged Injection Attacks Evade Detectors in Multi-Agent LLM Systems
A new paper shows injection payloads tailored to domain vocabulary evade detection, dropping IDR from 93.8% to 9.7%. Multi-agent debate amplifies attacks. Llama Guard 3 detects zero payloads.