aljaz/goose
1
0
Fork 0
mirror of https://github.com/aljazceru/goose.git synced 2025-12-18 14:44:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
2c86a0eb6e20d314f019d9faf2be75c3babc0dc0
goose/documentation/blog/2025-03-26-mcp-security/index.md

69 lines
4.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "How to Determine If An MCP Server Is Safe"
description: Before you plug your agent into just any MCP server, here's how to check if it's actually safe.
authors:
- ebony
---
![blog cover](mcpsafety.png)
# How I Vet MCP Servers Before Plugging Them In
[Model Context Protocol (MCP)](https://www.anthropic.com/news/model-context-protocol) servers are everywhere right now. Last time I checked there were **3,000 and counting**. Every day, a new one pops up, letting AI agents like Goose access files, query your Google Drive, search the web, and unlock all kinds of amazing integrations.
<!--truncate-->
And just when I thought things couldnt get any crazier, Zapier blessed us with an MCP server. That means your agent can now tap into over 8,000+ integrations.
So trust me, I know its super tempting to want to plug your AI agent into everything and just _see_ what happens.
But hold on a minute, we cant afford to skip over security.
When you connect to an MCP server, youre giving it access to your workflows, most times even your data. And a lot of these servers are community built, with little to no governance.
## Heres What I Do Before I Trust an MCP Server
Any time Im checking out a new MCP server to plug into Goose, I start with **[Glama.ai](https://glama.ai/mcp/servers)**.
Glama is an all-in-one AI workspace, and it maintains one of the **most comprehensive and security-aware MCP server directories** that I've seen. The servers listed are either community built or created by the actual companies behind the tools, like **Azure** or **JetBrains**.
Each server gets a **report card**, so at a glance you can quickly assess whether its solid or a little sketchy.
## What Glama Scores
Heres what Glama grades servers on:
-**Security** Checks for known vulnerabilities in the server or its dependencies
-**License** Confirms its using a permissive open source license
-**Quality** Indicates whether the server is running and functions as expected
Youll also see helpful context like how many tools the server exposes, whether it has a README file, when it was last updated, and whether it supports live previews through the MCP inspector tool.
Glama doesn't just perform these checks once, they **revaluate servers regularly**, so if something breaks or a vulnerability gets introduced, the score updates automatically.
Heres an example of a solid server: the **YouTube MCP server**, which lets Goose download and process videos to create summaries and transcripts.
![YouTube MCP Score](youtubeMcp.png)
>_All As across the board—**security, license, and quality**._
Thats exactly the kind of score I look for before I plug Goose into any server.
So please, **check before you connect**.
A quick glance at an MCP directory like Glama can save you from crying on your office floor later. However, once youve done your homework?
**Have fun. Plug your agent in. Break things (safely). And vibe code with peace of mind.**
<head>
<meta property="og:title" content="How to Determine If An MCP Server Is Safe" />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://block.github.io/goose/blog/2025/03/21/goose-vscode" />
<meta property="og:description" content="Before you plug your AI agent into just any MCP server, here's how to check if it's actually safe." />
<meta property="og:image" content="http://block.github.io/goose/assets/images/mcpsafety-87eb7ace7163a5edbe068ff75b79a199.png" />
<meta name="twitter:card" content="summary_large_image" />
<meta property="twitter:domain" content="block.github.io/goose" />
<meta name="twitter:title" content="How to Determine If An MCP Server Is Safe" />
<meta name="twitter:description" content="Before you plug your agent into just any MCP server, here's how to check if it's actually safe." />
<meta name="twitter:image" content="http://block.github.io/goose/assets/images/mcpsafety-87eb7ace7163a5edbe068ff75b79a199.png" />
</head>
Reference in New Issue View Git Blame Copy Permalink