NewsMCP Server Security Audit 14 Critical High Findings Across 194 PackagesDEV Community·high signalAgentAudit audited 194 MCP packages. 14 critical/high findings including command injection and credential leakage.SourceSource pageDEV Community↳ Follow the threadShared entity / Stack layerCut agent scraping token spend with Scrapling — adaptive element-signature relocation plus a built-in MCP serverGitHubShared entity / Stack layerGoose v1.40.0 Adds a Local 'goose review' Command and Peek Mode for Async Background TasksGitHubShared entity / Stack layerMitigating Taint-Style MCP Server Vulnerabilities Without Touching Server Code (SPELLSMITH)arXivShared entity / Stack layerScan for MCP prompt injection at a centralized control plane, and treat every tool response as untrustedObot AIShared entity / Threat patternWindsurf's Devin Local Adds Editor Context Awareness and Persistent 'Always Allow' MCP GrantsReleasebotShared entity / Threat patternWrap long-running MCP tools in the new Tasks extension instead of blocking a single tools/call until timeoutStacktreeShared entity / Threat patternTip: Harden Any MCP Server You Run Locally — Bind to 127.0.0.1 and Require Auth on Management EndpointsAdversa AIShared entity / Threat patternTip: In Monorepos, Set OpenCode's Local MCP Server cwd Relative to Your WorkspaceOpenCode