We Scanned Popular Open Source MCP Configs. Here's What We Found.

Every major developer platform now ships an MCP server. Stripe, GitHub, Supabase, Cloudflare, Sentry, Firebase, Vercel — all have published .mcp.json configs that let AI agents call their APIs directly.

We ran PolicyLayer’s free scan against real configs from popular open source repos. The results are not reassuring.

What we scanned

We pulled .mcp.json files from public GitHub repositories maintained by well-known organisations:

• Cloudflare (cloudflare/skills) — 5 MCP servers covering API, docs, bindings, builds, and observability
• Stripe (stripe/ai) — Stripe’s official MCP server
• Supabase (supabase/supabase) — Database, auth, storage, and edge functions
• Sentry (getsentry/spotlight) — Error tracking and monitoring
• Firebase (firebase/agent-skills) — Google’s Firebase MCP server
• Vercel (vercel/next-devtools-mcp) — Next.js dev tools

These aren’t hobby projects. They’re official configs from the companies that build these platforms.

The findings

Across these configs, the scan classified every tool the agent would have access to. The pattern was consistent:

Most tools are dangerous by default. Every config we scanned exposed tools that can create, modify, or delete resources — with no policy enforcement, no rate limiting, and no argument validation.

Here’s what a typical breakdown looks like:

• Stripe: 27 tools. 9 are Financial or Destructive — create_refund, cancel_subscription, create_payment_link. An agent with this config can issue refunds and cancel subscriptions without any guardrails.

• GitHub: 83 tools. 8 Destructive, 45 Write. delete_file, create_branch, add_issue_comment. Full write access to your repositories.

• Supabase: 32 tools. 6 Destructive, 12 Write. delete_branch, reset_branch, deploy_edge_function. Your database schema is one hallucination away from a bad day.

• Cloudflare: 5 separate servers with dozens of tools across them. API management, DNS, Workers — operational tools that can take down production infrastructure.

The common thread: every config gives the agent full access to everything the server exposes. There is no concept of least privilege. If the tool exists, the agent can call it.

Why this matters

When you add an MCP server to your config, you’re not just giving your agent a capability. You’re giving it every capability that server exposes, with no restrictions.

Most developers don’t read the full tool list before adding a server. They want “Stripe integration” and get cancel_subscription as a bonus. They want “GitHub access” and get delete_file for free.

This isn’t a hypothetical risk. These are the exact configs that developers copy into their projects. The .mcp.json files in these repos are templates that teams adopt wholesale.

What you can do

1. Scan your config. Paste your .mcp.json into policylayer.com/scan or run:

npx policylayer

It takes seconds. You’ll see every tool your agent can access, categorised by risk.

2. Add scanning to CI. If your repo has a .mcp.json, add the PolicyLayer GitHub Action to your workflow:

name: MCP Security Scan
on: [pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: policylayer/scan-action@main
        with:
          fail-on: 'High'

Every PR that touches your MCP config gets scanned. The action posts a comment with the findings and can fail the build if dangerous tools are detected.

3. Enforce policies. Scanning tells you what’s exposed. Intercept lets you enforce rules — block destructive tools, rate-limit writes, validate arguments — without modifying the MCP server:

npx @policylayer/intercept

The default is broken

MCP servers ship with no access control. The protocol has no built-in concept of permissions, scopes, or policies. Every tool is available to every agent, all the time.

That’s a design choice, not a technical limitation. And until it changes, the responsibility falls on teams to enforce their own controls.

The scan is free. The action is free. The data speaks for itself.

Scan your config now.