# We Scanned Popular Open Source MCP Configs. Here's What We Found.

> Cloudflare, Stripe, Supabase, Sentry, Firebase — we ran PolicyLayer's scan against real .mcp.json files from well-known repos. Most expose destructive tools with zero policy enforcement.

Published: Sat Apr 04

Canonical: https://policylayer.com/blog/we-scanned-open-source-mcp-configs

Every major developer platform now ships an MCP server. Stripe, GitHub, Supabase, Cloudflare, Sentry, Firebase, Vercel — all have published `.mcp.json` configs that let AI agents call their APIs directly.

We ran [PolicyLayer's free scan](https://policylayer.com/scan) against real configs from popular open source repos. The results are not reassuring.

## What we scanned

We pulled `.mcp.json` files from public GitHub repositories maintained by well-known organisations:

- **Cloudflare** ([cloudflare/skills](https://github.com/cloudflare/skills)) — 5 MCP servers covering API, docs, bindings, builds, and observability
- **Stripe** ([stripe/ai](https://github.com/stripe/ai)) — Stripe's official MCP server
- **Supabase** ([supabase/supabase](https://github.com/supabase/supabase)) — Database, auth, storage, and edge functions
- **Sentry** ([getsentry/spotlight](https://github.com/getsentry/spotlight)) — Error tracking and monitoring
- **Firebase** ([firebase/agent-skills](https://github.com/firebase/agent-skills)) — Google's Firebase MCP server
- **Vercel** ([vercel/next-devtools-mcp](https://github.com/vercel/next-devtools-mcp)) — Next.js dev tools

These aren't hobby projects. They're official configs from the companies that build these platforms.

## The findings

Across these configs, the scan classified every tool the agent would have access to. The pattern was consistent:

**Most tools are dangerous by default.** Every config we scanned exposed tools that can create, modify, or delete resources — with no policy enforcement, no rate limiting, and no argument validation.

Here's what a typical breakdown looks like:

- **Stripe**: 27 tools. 9 are Financial or Destructive — `create_refund`, `cancel_subscription`, `create_payment_link`. An agent with this config can issue refunds and cancel subscriptions without any guardrails.

- **GitHub**: 83 tools. 8 Destructive, 45 Write. `delete_file`, `create_branch`, `add_issue_comment`. Full write access to your repositories.

- **Supabase**: 32 tools. 6 Destructive, 12 Write. `delete_branch`, `reset_branch`, `deploy_edge_function`. Your database schema is one hallucination away from a bad day.

- **Cloudflare**: 5 separate servers with dozens of tools across them. API management, DNS, Workers — operational tools that can take down production infrastructure.

The common thread: **every config gives the agent full access to everything the server exposes.** There is no concept of least privilege. If the tool exists, the agent can call it.

## Why this matters

When you add an MCP server to your config, you're not just giving your agent a capability. You're giving it **every capability that server exposes**, with no restrictions.

Most developers don't read the full tool list before adding a server. They want "Stripe integration" and get `cancel_subscription` as a bonus. They want "GitHub access" and get `delete_file` for free.

This isn't a hypothetical risk. These are the exact configs that developers copy into their projects. The `.mcp.json` files in these repos are templates that teams adopt wholesale.

## What you can do

**1. Scan your config.** Paste your `.mcp.json` into [policylayer.com/scan](https://policylayer.com/scan) to [check your own MCP stack](/stack-check), or run:

```sh
npx policylayer
```

It takes seconds. You'll see every tool your agent can access, categorised by risk.

**2. Add scanning to CI.** If your repo has a `.mcp.json`, add the [PolicyLayer GitHub Action](https://github.com/policylayer/scan-action) to your workflow:

```yaml
name: MCP Security Scan
on: [pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: policylayer/scan-action@main
        with:
          fail-on: 'High'
```

Every PR that touches your MCP config gets scanned. The action posts a comment with the findings and can fail the build if dangerous tools are detected.

**3. Enforce policies.** Scanning tells you what's exposed. [PolicyLayer](/mcp-gateway) lets you enforce rules — block destructive tools, rate-limit writes, validate arguments — without modifying the MCP server. Route your MCP server through PolicyLayer — point your MCP client at the gateway URL with a per-person grant token, and your policy runs on every call before it reaches the upstream server:

```json
{
  "mcpServers": {
    "server": {
      "url": "https://proxy.policylayer.com/mcp/<server-uuid>/",
      "headers": { "Authorization": "Bearer <grant-token>" }
    }
  }
}
```

You define and adjust the policy in the [PolicyLayer dashboard](https://app.policylayer.com) — no local proxy to install or run.

## The default is broken

MCP servers ship with no access control. The protocol has no built-in concept of permissions, scopes, or policies. Every tool is available to every agent, all the time.

That's a design choice, not a technical limitation. And until it changes, the responsibility falls on teams to enforce their own controls.

The scan is free. The action is free. The data speaks for itself.

[Scan your config now](https://policylayer.com/scan).
