We Scored 5,154 MCP Servers. Here's the Trust Distribution.

Most MCP security analysis posts start with a few hundred servers. Some reach 1,800. We indexed 5,154. CraftedTrust is an independent trust registry for the MCP server ecosystem. We've been scanning, scoring, and cataloging every MCP server we can find — npm packages, GitHub repos, and live endpoints. As of today, we've built what we believe is the largest trust-scored dataset of MCP servers in existence. Here's what we found. The Numbers Metric Count Total MCP servers indexed 5,154 Live-verified (actual handshake + deep probe) 118 Static-analyzed (npm metadata + repo signals) 5,027 Unique vulnerability findings 62 High-severity vulnerabilities 23 Published security advisories 5 Active coordinated disclosures 9 Security checks in our model 60 That last number matters. Our scanner, Touchstone, runs 60 automated security checks across 8 domains every time we assess a server. This isn't a surface-level metadata scrape — it's protocol-level interrogation. Trust Score Distribution Every ser