Manifest, Manifold’s open-access supply chain intelligence tool for the AI agent ecosystem, now covers MCP servers. Over 7700 servers from the official MCP Registry are indexed, scored, and made searchable alongside the existing database of skills and plugins.
Every server receives a composite Manifest Score based on two signal families: Lineage (publisher provenance) and Safety (behavioral risk indicators). The scores are additive: a higher Manifest Score, or a higher score in either category, signals greater confidence that a component's provenance and hygiene are sound.
The extended coverage is now live at manifest.manifold.security.
MCP Servers Are Widely Adopted, and Largely Unvetted
The AI agent supply chain is expanding faster than the security around it. Skills, plugins, MCP servers, browser extensions: every new category of third-party component widens the attack surface that security teams need to map and protect. The tooling to do so reliably is still catching up.
MCP servers occupy a particular position in this landscape. The protocol has faced skepticism, and its long-term dominance as the standard for agent-to-tool communication is not guaranteed. But adoption tells a clear story: Anthropic’s official MCP Registry lists over 7,000 servers, and MCP support is now built into most major agent platforms. The protocol’s appeal is straightforward. It gives developers a simple, standardized way to connect agents to external tools and data sources. That simplicity has driven rapid uptake.
The security challenge is that MCP servers control what an agent can access and where it sends data. A compromised or malicious MCP server doesn't just influence reasoning. It controls execution. And unlike skills, which are inspectable markdown files typically backed by a GitHub repository, many MCP servers expose only an HTTP endpoint with no source code to analyze. The tool descriptions and metadata they declare are often the only inspectable surface. What happens behind that surface is opaque: a server can accept inputs from the agent and forward them to a third party with no indication in the declared interface that it does so.
For security teams, this is a growing category of supply chain risk that needs coverage.
How Manifest’s MCP Scoring Works
Every MCP server in Manifest receives a Manifest Score: a single composite rating representing Manifold’s overall confidence in the publisher and the artifact. The score draws from two signal families.
Lineage Score evaluates the provenance of the server and its publisher. Signals include authorship history and community footprint, repository age and commit patterns, and naming or identity discrepancies between the registry listing and the underlying source.
Safety Score inspects the server’s declared surface for content that contradicts stated behavior or attempts to manipulate the calling agent. This includes coercive LLM instructions that attempt to override agent decision-making and tool descriptions that contradict a tool’s declared purpose, including embedded prompt injection.
The two scores resolve into the composite Manifest Score, displayed on every server page in the registry. These scores are additive, meaning higher they are, the greater confidence a user/consumer can have in an asset’s provenance and hygiene.
What’s Available
MCP server intelligence is available in Manifest in two tiers:
Open access (free): Full index of scored MCP servers. Lineage Score, Safety Score, and composite Manifest Score for every indexed server. Searchable and browsable alongside skills and plugins.
Enterprise: MCP server intelligence integrates directly with the Manifold platform. Every agent-connected MCP server discovered in your environment is automatically enriched with its Manifest Score, giving security teams a quantitative signal for each component instead of relying on manual code reviews. At scale, that's the difference between triaging hundreds of connections by hand and sorting by score.
At the time of writing, Manifest has indexed over 206,388 assets across skills, plugins, and MCP servers from 31,472 unique publishers.
What’s Next
The Manifest index will continue to expand as the MCP ecosystem grows, and as the broader AI supply chain evolves. Additional registry s7709ources and GitHub-hosted servers are under evaluation for future coverage. Community contributions through the review request feature will accelerate indexing.
Discover more at manifest.manifold.security.
Latest articles
