Field Insights
What scanning real MCP servers and Hugging Face models actually finds — patterns, outliers, and takeaways from the public sweep.
Everything on this page is computed at build time from the same
sweep-results.json that powers the results page — sweep
v0.4.1 (2026-05-11, scanner v0.4.1):
112 artifacts (33 MCP servers,
79 Hugging Face models), 2,142 findings,
75% of artifacts had at least one.
1. Unsigned models are the norm, not the exception
aibom-signature-missing fired on 79 of 79 Hugging Face
models in the sweep — including artifacts published by Microsoft, Facebook, and BAAI.
Cryptographic provenance for model weights effectively does not exist in the wild today.
Until OpenSSF Model Signing adoption
catches up, the practical mitigation is content scanning plus hash pinning — which is
exactly why the scanner treats a missing signature as a warning to track, not noise to
suppress.
2. ONNX custom operators are where the volume hides
The single loudest rule in the sweep is aibom-onnx-custom-operator —
1,507 findings across 12 models
(including small, widely-embedded models like SmolLM). A custom operator is a hook for
native code the runtime must supply: it isn’t malware by itself, but it means “running
this model” can mean “loading someone’s shared library”. If your inference stack
auto-resolves custom ops, audit that path before the model, not after.
3. Criticals are rare — and that’s the point
Only 3 critical and 8 high
findings came out of 112 artifacts. The criticals were concrete:
a shell-command-injection pattern in a very popular MCP server, and an install hook
reading the environment at npm install time — before any runtime guard could exist.
Supply-chain risk is a tail-risk problem: the average artifact is fine, and the one
that isn’t is running with your credentials. Scanning is cheap precisely because the
base rate is low.
4. Install hooks are MCP’s blind spot
MCP security discussion focuses on runtime — tool poisoning, prompt injection, rug
pulls. But the sweep’s standout MCP critical came from install-time behavior:
lifecycle scripts that read process.env and phone home during npm install, before
the server ever speaks JSON-RPC. A runtime gateway can’t see that. This is why the
pipeline is scan before install (oxvault scan), then guard at
runtime (Gateway).
5. Model cards are an injection surface
aibom-modelcard-suspicious-instructions fired on 7 models
in the sweep — README/model-card text containing instruction-shaped content aimed at
whatever LLM reads it. Model cards get pasted into agent context windows constantly.
Treat every artifact’s metadata as untrusted input, not just its weights: the same
tool-poisoning rules that guard MCP tool descriptions apply.
Honest footnotes
- The warning count is dominated by signature-missing and custom-operator findings — systemic-hygiene signals, not 1,808 individual emergencies.
- CVE detection (12/12) is measured against our own reproduction corpus of published MCP CVEs; precision (93%) is self-measured on this sweep. Both are reproducible from the scanner repo.
Want your server or model in the next sweep? Ask in Discord or open an issue on the scanner repo.