You can't tell from the name, the star count, or the publisher's reputation alone — you vet it by what it can reach, before it's live. An MCP server runs as code on your machine with your agent's access. In 2026, researchers reported roughly 200,000 MCP servers exposing remote code execution.1 A trusted-looking server can still hold a live token, so "trusted publisher" and "safe to install" are two different questions.
Before you install any MCP server, check four things:
Dryx answers all four questions before install. Skill Shield projects a candidate MCP or skill onto your actual workspace and tells you the reach — trusted, recognized, unknown, or suspicious — and treats "unknown" as "analyze before installing."
Your agent can ask too: the Authority Anchor MCP exposes a check_mcp_server verdict your agent reads before it pulls anything in. The verdict is computed offline, against your machine — not a remote reputation lookup.
This vets the candidate against your real exposure. It does not take all risk away — vetting reach before install is one layer; the deterministic gate at the action boundary is another. See how the runtime authority works and why the verdict is deterministic.
You can't tell from the name, the star count, or the publisher's reputation alone. An MCP server runs as code on your machine with your agent's access, so the question is what it can reach. Vet it before it's live by checking provenance, reach, egress, and blast radius on your machine.
Check four things: provenance (who published it, and can you verify that's really them), reach (what it asks to touch — and whether that exceeds its job), egress (where it can send data, and whether that matches what it claims), and blast radius (if this exact server were compromised tomorrow, what on your machine is exposed). Dryx's Skill Shield returns a trusted / recognized / unknown / suspicious verdict against your actual workspace before install.
No. Provenance and risk are different axes. A trusted-looking server can still hold a live token, ask for more reach than its job needs, or send data to an endpoint that doesn't match what it claims. Treat "unknown" as "analyze before installing."
You just read how this surface goes wrong. The next step is seeing it on your machine. Dryx inspects the AI agents you already run and draws the reach — secrets free, the full seven-surface map on Pro. On Pro with the direct-download build, your agent also gets a deterministic gate at the action boundary, where its harness supports the hook — defense-in-depth everywhere else. Your agent gets the answer; you don't get a dashboard to babysit.
Get early access → Read the pillar: AI Agent Security →Last updated: June 16, 2026 · Version 1.0