Public Incident Log
MCP Server Incidents
Servers removed from the directory after confirmed security incidents — CVEs, in-the-wild backdoors, or supply chain compromises. We publish this log in the open so the record stays auditable.
Our Incident Response Policy
Removal within 24 hours. Any MCP server in our directory with an active CVE (CVSS ≥ 7.0), confirmed in-the-wild backdoor, or credibly disclosed supply chain compromise is removed from the directory within 24 hours of disclosure.
Public incident page. The original listing URL redirects to a dedicated incident page documenting what happened, who disclosed it, and where readers can verify the disclosure independently.
Re-listing requires a patched release plus 30 days. A removed server can be re-listed once the maintainer ships a patched version and 30 days pass with no further disclosures against the same root cause.
Methodology lives in the article. The framework we score servers against is published in Why 73% of Public MCP Servers Fail Basic Security Checks.
Report a Compromise
Found a compromised MCP server in our directory? Notice an active CVE we haven't responded to? We want to hear from you. Reach out via our contact page or email hello@agenticskills.io with the subject line MCP Security Incident.
For coordinated disclosure, we ask for 90 days from initial report to public listing unless the issue is already in the wild. Include: server slug, source of disclosure (CVE record / vendor advisory / security firm write-up), and a short technical summary.
Incident Log
No incidents on record.
No MCP server in our directory has been removed for a confirmed security incident as of . This page updates whenever the log changes.