I Built an OWASP Top 10 Scanner for MCP Servers. Here's What It Finds.

MCP (Model Context Protocol) is everywhere. Cursor, Claude Desktop, Windsurf, GitHub Copilot -- they all use MCP servers to give AI agents access to tools. But nobody is scanning these servers for vulnerabilities. I pointed my scanner at 15 public MCP servers. Every single one failed at least 6 out of 10 OWASP checks. Most failed all 10. What's exposed MCP servers expose tools -- functions that AI agents can call. Think run_command, query_database, read_file, fetch_url. Most servers have: No authentication -- any caller can invoke any tool No input validation -- command injection, SQL injection, path traversal all work No message signing -- requests can be replayed or tampered No rate limiting -- flood the server, nobody notices Dangerous tools exposed -- exec, shell, admin_panel sitting in the open This isn't theoretical. The OWASP MCP Security Cheat Sheet documents these risks. There's an IETF draft proposing per-message signing to address them. The OWASP MCP Top 10 I mapped the most