43% of MCP Servers Are Vulnerable — Why Agent Security Can't Wait
The numbers are hard to ignore. Adversa AI's Top 25 MCP Vulnerabilities research found that 43% of MCP servers are vulnerable to command injection — a class of bug that's been a solved problem since the 1990s. Another 37% require no authentication at all. Anyone can connect, call tools, and execute actions with zero identity verification.
This isn't a theoretical risk. These are real servers, running in production, connected to AI agents that make autonomous decisions. And the problem is accelerating: there are now over 10,000 MCP servers in the wild, most of them open-source weekend projects with no security review, no monitoring, and no accountability.
Meanwhile, the attack surface is getting formal recognition. Bruce Schneier published a 7-stage “promptware kill chain.” OWASP released its first Top 10 for Agentic Applications. Researchers are documenting identity file poisoning as a persistence mechanism. The security community is treating this as a real and present danger. The agent ecosystem needs to catch up.
The Promptware Kill Chain
In February 2026, Bruce Schneier and colleagues published “The Promptware Kill Chain” — a framework that reframes prompt injection from a single vulnerability into a structured, multi-stage attack campaign. Think MITRE ATT&CK, but for AI agents.
The seven stages mirror traditional malware campaigns like Stuxnet and NotPetya, adapted for the LLM era:
Schneier's key insight: prompt injection isn't the whole attack — it's just step one. Defending against initial access alone is insufficient. You need defense-in-depth that can break the chain at every subsequent stage.
The Attack Vectors That Keep Researchers Up at Night
Command Injection via MCP Tools
Adversa AI's research ranks command injection as the #2 MCP vulnerability, with a critical 10/10 impact score and “easy” exploitability. The root cause is depressingly familiar: MCP servers that pass user-controlled input directly to shell commands or system calls without sanitization. It's SQL injection all over again, except the victim is an autonomous agent with file system access, network capabilities, and API credentials.
Identity File Poisoning
This is the attack vector unique to the agentic era. Modern AI agents use configuration files — SOUL.md, AGENTS.md, MEMORY.md — to define their identity, personality, and persistent memory. Researchers have demonstrated that attackers can poison these files through indirect prompt injection, turning an agent's own identity into a persistence mechanism.
The attack chain is elegant and terrifying: a malicious instruction hidden in a document tricks the agent into modifying its own soul file. On every subsequent session, the poisoned identity loads automatically. The agent is compromised at the deepest possible level — not its tools, not its memory, but its sense of self. Even uninstalling the original attack vector doesn't help; the file modifications persist.
VirusTotal confirmed 341 malicious skills on public registries that use exactly this pattern — dropping instructions into identity and configuration files so injected commands survive even after the malicious skill is removed.
Tool Poisoning & Schema Attacks
Adversa AI documents tool poisoning (TPA) at #3 on their list with a 9/10 impact score. Attackers compromise tool schema definitions themselves — injecting hidden parameters, altered return types, or malicious default values that affect all subsequent invocations while appearing legitimate to monitoring systems. Full schema poisoning takes this further, manipulating entire tool definitions at the structural level.
Agent-to-Agent Exploitation
As agents increasingly communicate with other agents — through A2A protocols, shared MCP servers, or multi-agent orchestration — each connection becomes a potential propagation path. Schneier's lateral movement stage maps directly to this: a compromised agent with access to shared communication channels can inject malicious instructions into every agent it interacts with. One poisoned agent in a multi-agent workflow can compromise the entire chain.
OWASP Gets Serious About Agentic Security
The OWASP Top 10 for Agentic Applications 2026 is the first industry-standard framework dedicated to securing autonomous AI agents. Developed by over 100 industry experts, it provides the same kind of structured, prioritized guidance that OWASP's web application Top 10 gave us two decades ago.
The fact that OWASP — the organization that defined web application security — now has a dedicated agentic AI track tells you where we are. This isn't an emerging threat. It's an active one, being cataloged and classified by the same institutions that shaped how we think about application security.
Why a Billing & Trust Layer Is a Security Layer
Here's the uncomfortable question: why are 43% of MCP servers vulnerable to command injection — a bug class we've known how to prevent for thirty years?
The answer isn't technical incompetence. It's economic incentives. When your MCP server is a free open-source project with no revenue, you don't invest in input sanitization, security reviews, or monitoring. Nobody's on-call at 3 AM for a hobby project. And when 37% of servers have no authentication, there's no barrier to entry for attackers — or any way to know who's actually calling your tools.
A billing and trust layer doesn't just enable monetization — it creates the infrastructure for accountability:
- →Verify-before-execute. When every tool call has a billing identity attached, anonymous exploitation becomes impossible. You know who called what, when, and can revoke access instantly.
- →Provider verification. Verified providers have a reputation to protect. They invest in security because their trust score — and revenue — depends on it.
- →Signed receipts as audit trails. Cryptographically signed records of every invocation create tamper-evident accountability. When something goes wrong, you have proof of what happened.
- →SLA tracking surfaces bad actors. 30-day uptime, latency, and error rate monitoring makes unreliable or compromised servers visible before they cause damage.
- →Trust scores break the kill chain. An agent that checks a provider's trust score before invoking tools is practicing Schneier's defense-in-depth — disrupting the chain before lateral movement or actions on objective can occur.
This is the model we're building at Agent Bazaar: every tool call authenticated, every invocation receipted, every provider verified. Not because billing demands it, but because security does.
What Developers Should Do Now
Whether you're building MCP servers, orchestrating agents, or consuming tools — here are concrete steps based on the research:
1. Treat input sanitization as non-negotiable
43% vulnerability rate means most servers skip this step. Every tool parameter that touches a shell command, file path, or database query needs validation and sanitization. Use allowlists, not blocklists. This is 1990s-era security hygiene — apply it.
2. Implement authentication on every MCP endpoint
37% of servers require no auth. If your MCP server is reachable over the network, it needs authentication. OAuth, API keys, mutual TLS — pick one. Anonymous access to tool execution is not a feature, it's a vulnerability.
3. Protect your identity files
If your agent uses SOUL.md, AGENTS.md, or similar configuration files, treat them as critical infrastructure. Hash them on startup. Monitor for modifications. Never let untrusted content — web scrapes, tool outputs, document contents — write to identity files directly.
4. Design for kill chain disruption
Schneier's framework tells us: assume initial access will happen. Focus on breaking subsequent stages. Limit privilege escalation with strict tool permissions. Constrain reconnaissance by minimizing what agents can discover about their own infrastructure. Prevent persistence by making memory and config files immutable to agent actions.
5. Audit your agent-to-agent trust boundaries
Every A2A connection is a potential propagation path. Verify the identity of agents you communicate with. Validate and sanitize inter-agent messages the same way you would external user input. Don't trust an agent just because it's inside your network.
6. Use trust signals before invoking tools
Before your agent calls an external MCP tool, check: Is the provider verified? What's their uptime history? Do they produce signed receipts? A trust layer turns tool selection from a blind leap into an informed decision.
Security Requires Infrastructure
The agent security crisis won't be solved by individual developers hardening individual servers. It requires infrastructure-level changes — identity verification, audit trails, trust scoring, and economic incentives that reward security instead of ignoring it.
That's why we built Agent Bazaar with a trust layer at its core — not bolted on as an afterthought. Provider verification, signed receipts, SLA tracking, and composite trust scores are part of every transaction. The billing spec is MIT-licensed, because the security of the agent ecosystem shouldn't depend on which vendor you choose.
Bazaar is one solution among many that are needed. But we believe the trust-layer approach — verify before execute, receipt every action, score every provider — maps directly to the defense-in-depth strategy that Schneier and OWASP are calling for.
Sources: Adversa AI Top 25 MCP Vulnerabilities (September 2025, updated March 2026), Schneier et al. “The Promptware Kill Chain” (February 2026), OWASP Top 10 for Agentic Applications 2026, MMNTM “OpenClaw Soul & Evil” (March 2026). Disclosure: We build Agent Bazaar and have a clear perspective on trust infrastructure. This analysis is based on publicly available research.