Which Capability Patterns Correlate With Higher Risk in MCP Servers? Observations Across 2,867 Servers
Across 2,867 unique MCP servers, dynamic code execution and unsafe network exposure showed the highest BLOCK rates. Risk concentration increased further when multiple high-risk capabilities appeared together.
Terminology
| Term | Meaning |
|---|---|
| Capability pattern | A public-facing grouping of server capabilities observed during scanning |
| Unique server | A normalized server identity after deduplicating repeated scans of the same target |
| BLOCK rate | The share of servers in a group that received a BLOCK verdict |
| Co-occurrence | Two or more capabilities observed on the same server |
Lead
When evaluating MCP server risk, the key question is not only which server a team is considering, but what that server can actually do. File access, outbound transmission, dynamic code execution, and external command execution each create different attack surfaces.
This report analyzes the relationship between 11 public-facing capability groupings and final PASS / WARN / BLOCK verdicts across 2,867 unique MCP servers. The goal is not to expose internal logic, but to show which capability patterns are most strongly associated with higher operational risk.
Key Findings
- Unsafe network exposure had the highest observed BLOCK rate: 67 of 71 servers, or 94.4%.
- Dynamic code execution followed next: 104 of 134 servers, or 77.6%, were BLOCK.
- Out of 2,867 servers, 484 (16.9%) showed clearly observable high-risk capabilities.
- Risk increased further when high-risk capabilities co-occurred. In this dataset, 13 capability pairs reached a 100% BLOCK rate.
- Servers without directly observed high-risk capabilities still concentrated heavily at WARN. “No visible high-risk capability” does not mean “low risk.”
Dataset
| Item | Value |
|---|---|
| Unique servers analyzed | 2,867 |
| Observation window | April 2026 |
| Public-facing capability groups | 11 |
| Servers with clearly observed high-risk capabilities | 484 (16.9%) |
| Servers without directly observed high-risk capabilities | 2,383 (83.1%) |
The 11 Public-Facing Capability Groups
| Capability Group | Description | Servers | % of Total |
|---|---|---|---|
| Local file reading | Reading local files | 144 | 5.0% |
| External data retrieval | Pulling data from the web or APIs | 144 | 5.0% |
| Dynamic code execution | Evaluating or executing code at runtime | 134 | 4.7% |
| Outbound transmission | Sending data to external services | 88 | 3.1% |
| Unsafe network exposure | Dangerous bind or TLS settings | 71 | 2.5% |
| Local file writing | Creating or updating files | 68 | 2.4% |
| External command execution | Launching shell commands or child processes | 61 | 2.1% |
| Cross-server relay | Calling other servers or relaying results onward | 38 | 1.3% |
| Local file deletion | Deleting files | 27 | 0.9% |
| Heavy resource consumption | Looping or high-cost execution patterns | 16 | 0.6% |
| Broad OAuth permissions | Requesting unusually wide OAuth scopes | 2 | 0.1% |
BLOCK Rates by Capability Group
| Capability Group | Servers | PASS | WARN | BLOCK | BLOCK Rate |
|---|---|---|---|---|---|
| Unsafe network exposure | 71 | 0 | 4 | 67 | 94.4% |
| Dynamic code execution | 134 | 26 | 4 | 104 | 77.6% |
| Local file deletion | 27 | 7 | 2 | 18 | 66.7% |
| External command execution | 61 | 20 | 1 | 40 | 65.6% |
| Heavy resource consumption | 16 | 6 | 2 | 8 | 50.0% |
| Outbound transmission | 88 | 23 | 22 | 43 | 48.9% |
| Local file writing | 68 | 22 | 13 | 33 | 48.5% |
| Cross-server relay | 38 | 12 | 10 | 16 | 42.1% |
| External data retrieval | 144 | 55 | 33 | 56 | 38.9% |
| Local file reading | 144 | 54 | 36 | 54 | 37.5% |
What Stands Out Most
1. Unsafe network exposure
Unsafe network exposure was the strongest single risk signal in this dataset. Once observed, it was rarely isolated. It tended to appear alongside other operational capabilities, and the combined result was often a BLOCK verdict.
2. Dynamic code execution
Dynamic code execution was the second strongest signal, with a 77.6% BLOCK rate. This is not because the capability is automatically malicious, but because it creates multiple points of failure at once: input handling, privilege boundaries, outbound communication, and execution control.
3. “Read-only” capabilities are not harmless
Local file reading and external data retrieval showed lower BLOCK rates than the top-risk groups, but both still landed around 40%. These capabilities remain relevant because they open well-known paths such as Path Traversal and SSRF.
Co-Occurrence Patterns That Matter
In this dataset, 13 capability pairs reached a 100% BLOCK rate. Representative examples:
| Pair | Servers | BLOCK Rate |
|---|---|---|
| Dynamic code execution + external command execution | 9 | 100% |
| Dynamic code execution + local file writing | 8 | 100% |
| Dynamic code execution + unsafe network exposure | 9 | 100% |
| External command execution + outbound transmission | 9 | 100% |
| Local file reading + outbound transmission | 18 | 100% |
The practical point is not that any one capability is “the problem.” The larger risk comes from attack-surface connectivity: a capability that executes, another that reads, and another that sends outward create a more dangerous chain than any one of them alone.
Are Servers Without These Capabilities Safe?
No.
The 2,383 servers without directly observed high-risk capabilities were distributed as follows:
| Verdict | Count | Percentage |
|---|---|---|
| PASS | 615 | 25.8% |
| WARN | 1,718 | 72.1% |
| BLOCK | 47 | 2.0% |
Many of these servers were still flagged because of provenance concerns, permission requests, or communication/configuration issues. In other words, the absence of an obvious attack surface is not proof of low risk.
How To Read This Operationally
For procurement or deployment review, the most practical screening order is:
- Does the server execute code dynamically or launch external commands?
- Does it send data outward or relay results to other systems?
- Does it expose unsafe network behavior?
- Are multiple such capabilities present at the same time?
This order helps teams triage faster before they spend time on deeper per-server review.
Limitations
- This report uses public-facing capability groupings, not internal implementation terminology.
- Very small groups should be treated as reference values; broad OAuth permissions appeared in only 2 servers.
- The 100% BLOCK pairs are observed results from this dataset, not guarantees about future populations.
- Three-capability and larger combinations will be analyzed separately.
Conclusion
Across 2,867 unique MCP servers, dynamic code execution and unsafe network exposure were the two strongest observed correlates of BLOCK verdicts. Risk increased further when multiple high-risk capabilities appeared together.
For real-world MCP server review, teams should focus less on popularity and more on which capabilities coexist on the same server. Risk tends to compound through combinations, not through labels alone.
MCP Guard continuously tracks observed MCP server behavior to understand how capability patterns and threat signals move together over time.