The Model Context Protocol (MCP) is a convenient open protocol for linking large-scale language models (LLMs) with external data sources and tools. However, since anyone can create an MCP server and publish it on GitHub, there is a possibility that it may contain malicious code. It is at your own risk if you embed vulnerabilities in your homemade MCP server, but how safe can you actually be when using a public MCP server via a marketplace? This article explains the current state of the MCP server marketplace and some points to note when using it.

1.1. TL;DR

The premise is that “someone is guaranteeing something, so use it at your own risk.” Among them, the following two are considered to be trustworthy to a certain extent. The rest are provided without any official guarantee.

• Those registered under servers/src in modelcontextprotocol org
• When the MCP server connects to the official repository of the service. Example: tavily/mcp-server provided by tavily

1.2 Reasons

The official MCP GitHub repository is maintained by Anthropic and contains servers implemented by Anthropic itself as well as community contributed servers.

• 🌟 Reference Servers: MCP servers implemented by Anthropic itself
• 🤝 Third-Party Servers: MCP servers implemented by parties other than Anthropic
  • 🎖️ Official Integrations: MCP servers implemented as official repositories for connected services
  • 🌎 Community Servers: MCP servers that can be provided by anyone who is not related to the service you are connecting to.

Community Servers have not been explicitly tested and are used at your own risk .

I think the standards for trusting Cline’s MCP Marketplace should be almost the same as the official MCP (see Section 4.2 for details).

2. What is MCP/MCP Server?

“I’ve heard of MCP, but I haven’t used it…😅” For those who have heard of it , I’ll write a simple explanation, from the basics to more advanced content , as there are already explanations in Japanese. For more information, please refer to the official MCP doc .

MCP (Model Context Protocol) is an open protocol for applications to provide context to large-scale language models (LLMs). It is like a “USB-C port” for AI applications (Claude Desktop, Cline, etc.) and standardizes how LLMs can be integrated with external data sources and tools.

Confused about the hype around MCP (Model Context Protocol)?

Here’s a quick visual ⬇️

MCP is like a universal “USB-C” for AI agents, letting them plug into tools & data sources without juggling multiple APIs.

I'll break it down step by step ⬇️ pic.twitter.com/q4k6pxhWtZ

— Norah Sakal (@norahsakal) March 8, 2025

MCP servers are lightweight programs that expose certain functions (such as web searches, file operations, API integration, and database access) through the MCP protocol. By connecting to these servers, MCP clients allow AI agents to use external knowledge and functions. For example, there are MCP servers for connecting to PostgreSQL. The MCP server itself does not function as a database, but acts as an intermediary for communication with PostgreSQL. In that sense, it may be more accurate to think of it as a “connector” rather than an MCP server. Anyone can create an MCP server and publish it on GitHub.

3. MCP server publication/approval status

Similar to how Google Chrome has a Chrome Web Store for extensions , Anthropic, the creators of MCP, maintain an MCP server repository on GitHub ( https://github.com/modelcontextprotocol/servers ) that contains both Anthropic’s implementations of MCP servers as well as a list of community-contributed MCP servers.

In addition to the official Anthropic, Cline , a GitHub extension , also offers Cline’s MCP Marketplace . To register with this Cline’s MCP Marketplace, you need to submit an issue to the cline/mcp-marketplace repository and have it reviewed. Example of a reviewed issue: https://github.com/cline/mcp-marketplace/issues/44

4. General security of MCP official repositories

It seems that the modelcontextprotocol organization is primarily run by Anthropic.

The modelcontextprotocol organization on GitHub has the following:

The Model Context Protocol is an open source project run by Anthropic, PBC. and open to contributions from the entire community.

It is stated as follows:

Conversely, the anthropic.com site, Introducing the Model Context Protocol , states:

The Model Context Protocol specification and SDKs(omitted)Contribute to our open-source repositories of connectors and implementations

This statement indicates that this is an official Anthropic project.

4.1 modelcontextprotocol/server repository

Under modelcontextprotocol there is a repository called servers (hereinafter referred to as the official repository). This repository publishes the official implementation of the MCP server Anthropic and introduces other MCP servers.

Regarding security, the Security Policy states the following:

The security of our systems and user data is Anthropic’s top priority.

Furthermore, Anthropic, the developer of MCP, has obtained the following certifications, although it is unclear to what extent these have been applied to the development of MCP.

• SOC 2 Type I
• HIPAA
• SOC 2 Type II
• ISO 27001:2022
• ISO/IEC 42001:2023

Reference: https://trust.anthropic.com/

4.2 How much can I trust it?

🌟 I think you can trust the Reference Servers section to a certain extent, because the sources it references are under the src directory of the modelcontextprotocol/servers repository , which is the official MCP repository.

🎖️ I think you can trust the Official Integrations section to a certain extent. (Note that Community Servers are not included.) For example, the MCP server for JetBrains is created under the JetBrains organization. If there is a security incident on this MCP server, JetBrains will also be criticized, which will result in Jetbrains losing credibility and its business performance, so it is believed that they will make an effort to implement a secure MCP server.

🌎 Community Servers are also listed in README.md

Note: Community servers are untested and should be used at your own risk. They are not affiliated with or endorsed by Anthropic.

Summary

Please note: Community servers are untested, use at your own risk, and are not affiliated with or endorsed by Anthropic.

So, the reliability is considered to be low. As stated, it is best to use it at your own risk.

4.3. Specific repository operations

This is a bit of a geeky section, so you can skip it. It’s about reliable GitHub accounts and the people who are doing the reviews.

4.3.1. The process of implementing an MCP server under the src directory of the official repository

To add it to the official MCP server under the src directory of modelcontextprotocol/servers , you need to submit a pull request and have it approved, just like other OSS.

As of March 26, 2025, https://github.com/modelcontextprotocol/servers/pull/620 is in the state shown below (Review Required image), so it is likely that a Team has been defined that combines GitHub accounts registered in People and GitHub accounts approved by Anthropic using the protected branch function (※).

As a first example, the official implementation of Anthropic PostgreSQL is included in the initial commit and was created by jspahrsummers, who is currently registered in the People section of the official MCP organization as of 2025/03/26.

To take a second example, https://github.com/modelcontextprotocol/servers/pull/413/ is a Redis MCP server implementation by Anthropic, judging from the directory where the source code was added. The person who approved the pull request is jerome3o-anthropic . As of 2025/03/26, he is not registered in People ! The account name seems to be related to anthropic, so he may have been registered in People as of 2025/2/7 when he approved it . As noted in (※), it is not strictly clear whether he is a member of Anthropic. Judging from the fact that this person can merge the pull request he approved into the main branch, I think he is probably the maintainer of Anthropic.

(※)This is just a guess, as the Team that brings together the GitHub accounts associated with Anthropic employees has not been made public.

4.3.2. Official Integrations MCP Servers are added to the official README.md

The README.md file will be added once the modelcontextprotocol/servers pull request is approved.

Prior to this, the referenced repository must implement an MCP server.

Example: JetBrains

• Referenced MCP server: https://github.com/JetBrains/mcp-jetbrains
• Pull Request for README.md: https://github.com/modelcontextprotocol/servers/pull/355

1. A pull request was created in the official repository on 2024/12/16 .
2. The date of approval was December 17, 2024 , so
3. The MCP server that appears to have been reviewed is in 39041cc condition.
4. You can see that development continues after 2024/12/17. See the commit history .

It is unclear whether the official MCP Server side continues to check JetBrains/mcp-jetbrains . Therefore, it is possible that the repository of the MCP server referenced after approval could be hijacked or malicious code could be embedded. However, if that were to happen, JetBrains’ credibility would also be damaged, which would lead to disadvantages for JetBrains, so this can be interpreted as Anthropic trusting that JetBrains continues to be vigilant about security.

5. Cline’s official MCP server marketplace

cline is creating its own marketplace of MCP servers for direct use by cline in the Cline MCP Marketplace repository .

What is the MCP Marketplace?The MCP Marketplace is a curated collection of MCP servers that makes discovery and installation easy. With the marketplace, you can:

Browse official and community-made MCP serversSearch by name, category, tags, and other metadataInstall MCP servers with one click, triggering Cline to autonomously handle cloning, setup, and configuration.

Summary

What is MCP Marketplace?MCP Marketplace is a curated collection of MCP servers that are easy to discover and install. With the Marketplace you can:

Browse official and community-made MCP serversSearch by name, category, tags, and other metadataInstall your MCP server with one click and trigger Cline to handle cloning, setup, and configuration automatically.

Here, official and community-made MCP serversthe means

1. Official Anthropic MCP server. In terms of the names mentioned above, 🌟 Reference Servers
2. 🎖️ Official Integrations MCP Server
3. 🌎 Community Servers MCP Servers
4. MCP servers that clients have approved in their repository issues

I think so. Here is my personal opinion on the credibility:

I think it's: 1 > 2 >> 4 >>> (an unbridgeable gap) >>> 3 in terms of trustworthiness.
【Trustworthy】 → 【Untrustworthy】

The reason is that to register for this marketplace, you need to create a new issue in your GitHub repository and have it approved.

• Regarding 1, I think it is fair to trust it to a certain extent for the same reasons stated in Section 4.2.
• Regarding 2., I think it is fair to trust it to a certain extent for the same reasons stated in Section 4.2.
• As stated in Section 4.2, 3. is provided without warranty and is at your own risk.

Regarding 4., the maintainers of cline have reviewed and added it, so I think it can be trusted to a certain extent. However, it is considered less trustworthy than Anthropic.
This is because cline is OSS, and although it is a bit misleading to call it a development company, the developer of cline has not received as much security-related approval as Anthropic.

5.1 cline’s MCP Marketplace registration process

Like 4.3, this section is aimed at enthusiasts, so you can skip it if you like.

Although the maintainer of the Cline MCP marketplace has not been specified, I think it is safe to say that pashpashpash
is the maintainer of the Cline repository. Reason

• As of 2025/03/26, there are no people in cline’s organization !
• The author of the initial commit of mcp-marketplace is pashpashpash .

MCP servers registered in the cline MCP Marketplace are

• The MCP servers registered in modelcontextprotocol/servers are reflected sequentially.
• Reflecting what was approved in the issue of cline’s mcp-marketplace

It seems that they are.

Regarding the former, as of 2025/03/26, https://github.com/oceanbase/mcp-oceanbase is registered in modelcontextprotocol/servers , but is not registered in cline’s MCP marketplace.

Regarding the latter, graphlit-mcp-server was registered in #44 , which is not registered in modelcontextprotocol/servers as of 2025/03/25.

5. Summary

The introduction of an MCP server is essentially at your own risk. In terms of security, the disadvantages of releasing or approving a risky MCP server are for Anthropic, the destination of that MCP server, and marketplace creators such as cline.

• MCP servers under the src directory of the modelcontextprotocol/servers repository
• An MCP server implemented by the official organization of the service to which the MCP server is connected
• If you are using cline, please refer to the closed issues in cline/mcp-marketplace for MCP servers.

I think you can trust it to a certain extent.

Anything else is at your own risk, so I think it’s fine to read the source and have someone look up the relevant repository using DeepResearch or similar.