Why MCP Servers With Dynamic Code Execution Show Higher Risk Concentration: Observations From 134 Servers
Across 134 MCP servers with dynamic code execution capability, the same threat cluster repeatedly appeared and 77.6% received BLOCK verdicts. When external command execution or outbound communication was also present, risk concentration increased further.
Terminology
| Term | Meaning |
|---|---|
| Dynamic code execution capability | The ability to evaluate or run code at runtime |
| External command execution capability | The ability to launch shell commands or child processes |
| Co-occurrence | Multiple threats or capabilities observed on the same server |
| BLOCK rate | The share of servers in a group that received a BLOCK verdict |
Lead
Among MCP servers, those with dynamic code execution capability warrant especially careful review. The reason is not simply that "code can run." The real issue is that input handling, privilege boundaries, outbound communication, and execution control tend to converge inside the same server.
This report examines 134 servers where dynamic code execution capability was observed, and 62 servers where external command execution capability was observed, within a population of 2,867 unique MCP servers. The goal is to identify which threat clusters appeared repeatedly and how risk intensified when multiple execution-oriented capabilities were combined.
Key Findings
- The same five threat patterns were observed across all 134 servers with dynamic code execution capability.
- Of those 134 servers, 104 servers (77.6%) received BLOCK.
- Across the 62 servers with external command execution capability, Shell RCE and Argument Injection were observed in all cases.
- The 9 servers where both execution-oriented capabilities were observed all received BLOCK in this dataset.
- Roughly one-fifth of the servers with dynamic code execution capability also exposed communication-related capabilities.
Dataset
| Item | Value |
|---|---|
| Total population | 2,867 unique MCP servers |
| Servers with dynamic code execution capability | 134 |
| Servers with external command execution capability | 62 |
| Observation window | April 2026 |
Threats Repeatedly Observed Across 134 Servers
The following five threat patterns were observed across all 134 servers with dynamic code execution capability.
| Threat Pattern | Observation Rate |
|---|---|
| Shell RCE | 100% |
| Function Hijacking | 100% |
| PleaseFix Attack | 100% |
| Prompt Injection | 100% |
| Insecure Plugin Design | 100% |
What this supports is a narrower claim: in this dataset, these five patterns consistently appeared together for servers with dynamic code execution capability.
This is not proof that attacks actually occurred. It does show that servers with dynamic code execution capability tended to expose multiple attack surfaces at the same time.
Additional Threats That Often Overlapped
Some of the 134 servers also showed additional threat patterns.
| Additional Threat | Observation Rate | Commonly Associated Capability |
|---|---|---|
| SSRF | 22.4% | External data retrieval |
| Path Traversal | 14.9% | Local file reading |
| Data Exfiltration | 14.2% | Outbound transmission |
| Indirect Theft | 14.2% | Outbound transmission |
| Clawdrain | 6.7% | Heavy resource consumption |
| MITM | 6.7% | Unsafe network exposure |
| DNS Rebinding | 6.7% | Unsafe network exposure |
| Argument Injection | 6.7% | External command execution |
Dynamic code execution already creates a broad attack surface on its own. When outbound communication or file operations are added, additional threat families become easier to observe on the same server.
The 62 Servers With External Command Execution Capability
The 62 servers with external command execution capability showed the following pattern.
| Threat Pattern | Observation Rate |
|---|---|
| Shell RCE | 100% |
| Argument Injection | 100% |
| Path Traversal | 46.8% |
| Data Exfiltration | 21.0% |
| Indirect Theft | 21.0% |
| SSRF | 17.7% |
External command execution may look narrower than dynamic code execution, but command argument handling and file-path processing often become direct attack surfaces. That helps explain why Argument Injection and Path Traversal appeared at relatively high rates in this group.
When Both Execution Capabilities Are Present
Nine servers showed both dynamic code execution capability and external command execution capability. In this dataset, all nine received BLOCK.
This is not proof of a universal rule that two execution capabilities are always dangerous. It does indicate that when multiple execution-oriented capabilities concentrate on the same server, the review posture becomes substantially more severe.
Three Design Patterns
In this dataset, servers with dynamic code execution capability fell into three broad patterns.
1. Single-function execution
103 servers, or about 77% of the group.
These servers mainly focused on running code and exposed fewer additional capabilities.
2. Execution plus communication
Roughly 20% of the group.
These servers combined code execution with outbound or inbound communication, making overlaps with threats such as SSRF and Data Exfiltration more common.
3. Multi-function integration
9 servers, or about 7% of the group.
These servers combined code execution, external commands, file operations, and outbound communication. In this dataset, this pattern was the most strongly associated with BLOCK verdicts.
How To Read This Operationally
For deployment review, the most practical screening order is:
- Does the server execute code dynamically?
- Does it launch external commands?
- Does it also send data outward or fetch external data?
- Are file operations combined with those capabilities?
More capability can look convenient, but it also creates more connected attack surfaces. Servers that combine execution, outbound transmission, and write access deserve especially careful review.
Limitations
- This report is a trend analysis based on observed data, not proof that attacks were actually carried out.
- Sandbox implementation quality was not evaluated directly.
- Some servers without observed dynamic code execution capability may still expose execution paths through other mechanisms.
- Individual server names are not disclosed here because the article focuses on aggregate patterns rather than per-server alerts.
Conclusion
Across 2,867 unique MCP servers, the 134 servers with dynamic code execution capability showed a strongly repeated threat cluster. When external command execution or communication-related capabilities were also present, risk became more compound.
The main lesson is not just that running code is risky. It is that execution capability becomes materially more dangerous when combined with other operational capabilities on the same server. Function separation and clear privilege boundaries matter.
MCP Guard continuously tracks the co-occurrence of execution-oriented capabilities and threat signals across MCP servers.