what if MCP servers had a Lighthouse-style security score?

i've been auditing MCP servers for a few weeks now. 194 packages scanned, 118 had security findings. that's a 60.8% failure rate. and these are the ones people are plugging into their AI agents right now. the problem isn't that developers are lazy. it's that there's no visibility. when you npm install @some-mcp/filesystem-server, you have zero signal about whether it sanitizes paths, leaks env vars, or shells out with unsanitized input. we have Lighthouse for web performance. we have Snyk for dependency vulnerabilities. we have nothing for MCP server security. the proposal: MCP Security Score a 0-100 score, computed automatically, covering 5 dimensions: 1. input validation (25 pts) -- does the server validate tool parameters before use? or does directory: "../../etc/passwd" just work? 2. execution safety (25 pts) -- shell injection checks. does it use execFileSync with argument arrays or string-concatenated execSync? does python code use shlex.quote()? 3. environment isolation (20 pts)