Skip to main content
Loadout
Guide2 min read

How to vet an MCP server before you install it (2026 checklist)

A practical checklist for judging whether an MCP server is safe to run — source, maintainer, permissions, secrets handling and red flags to avoid.

An MCP server runs on your machine with the permissions you grant it — file access, API tokens, database credentials. A 2026 analysis of ~7,000 public servers found many require no authentication and only a minority use OAuth. So vetting matters. Here is a checklist you can run in five minutes.

1. Check the source and maintainer

  • Who publishes it? Prefer first-party (GitHub, Shopify, MongoDB, Salesforce) or official reference servers over anonymous repos.
  • Is it open source? You should be able to read what it does. Closed binaries that want broad access are a red flag.
  • Activity and stars — a maintained repo with real history beats a fresh account with one commit.

2. Read what permissions it asks for

  • Does a "weather" server really need filesystem and network access? Capability should match purpose.
  • For database and API servers, can you run it read-only? If not, that is a downside.
  • Prefer servers that scope access (single project, single directory) over all-or-nothing.

3. Inspect how it handles secrets

  • Tokens should come from environment variables, not be hardcoded or sent anywhere.
  • Watch for any server that phones home — outbound requests to domains unrelated to its job.
  • Avoid pasting real credentials into a server you have not read.

4. Look at the install command

  • npx -y some-package runs whatever is published right now. Pin a version for anything sensitive.
  • Be wary of curl-pipe-to-shell installers.
  • Docker images from a known registry (GHCR, Docker Hub official) are easier to trust than random scripts.

5. Cross-check the registry

List the server in the official MCP Registry and a curated directory. Hand-reviewed sources beat raw scraped lists — see mcp.so vs PulseMCP and trusted MCP registry providers.

Red flags to walk away from

  • Requests far more access than its function needs.
  • No source code, or an anonymous, brand-new publisher.
  • Hardcoded credentials or undocumented network calls.
  • Known issues: prompt-injection or data-exfiltration vectors. See detecting malicious MCP servers.

Make it routine

Run every server read-only first, watch what it does, then widen access only if needed — the least-privilege principle from MCP security best practices. Loadout's security inspector scores servers on trust and capability so you do not vet raw lists by hand.

Going further

Once you trust a server, browse curated picks in our loadouts or the security category.

Loadout

Build your AI agent loadout

The directory of MCP servers and AI agents that actually work. Pick the right loadout for Slack, Postgres, GitHub, Figma and 20+ integrations — with install commands ready to paste into Claude Desktop, Cursor or your own stack.

Contact
© 2026 Loadout. Built on Angular 21 SSR.