Registry-level MCP security — every Smithery server now scanned before it ships

Invariant partners with Smithery to run MCP-Scan against every server in the registry. What supply-chain scanning at the registry level means for the MCP ecosystem.

April 24, 2025 · 6 min read · MCP developers, platform architects, security teams

MCPSecuritySmitherySupply ChainOpen Source

Invariant Labs and Smithery announced a partnership on April 24, 2025. Every MCP server listed on the Smithery registry now runs through MCP-Scan automatically, with results published on each server's registry page before a user can connect to it.

This is the supply-chain scanning model that npm and PyPI have adopted for code vulnerabilities, now applied to MCP tool descriptions.

Why registry-level scanning changes the incentive structure

Previously, a user discovering an MCP server on Smithery made a trust decision based on: description, star count, author reputation. No standardised security information. No way to know whether the tool descriptions contained injection payloads without inspecting them manually.

Registry-level scanning changes this in two directions:

For users: the scan result is visible before connecting. A server with a poisoned description gets a visible warning label before a single user has been affected. The information asymmetry between server authors and users shrinks.

For server authors: a server that fails MCP-Scan on publish gets immediate feedback and a public signal that something is wrong. This creates pressure to ship clean descriptions from day one rather than patching after a reported incident — the same dynamic that makes npm audit effective for package authors.

What the registry scan checks

The same four threat categories as local MCP-Scan runs:

Tool Poisoning Attacks — embedded instructions in descriptions
Rug Pull susceptibility — whether description-versioning patterns would evade re-approval
Cross-Origin Escalation patterns — descriptions referencing other servers' namespaces
Prompt Injection payloads — known injection syntax

Registry scans run on publish and on a continuous schedule for existing servers. A server that passes on day one can still be flagged if its descriptions are modified later.

For teams building on Genie

Genie integrates with MCP servers for third-party tool access. The Smithery partnership means any MCP server sourced from the Smithery registry has already passed a baseline security scan before I connect it to the platform. The first-line check is done. I still run a local MCP-Scan pass as part of the connection checklist — local scans catch configuration-specific issues that registry scans might not surface — but the baseline is covered.

For teams building their own MCP servers and publishing to Smithery: integrate uvx mcp-scan@latest into your CI pipeline on the description update path. If it passes locally before push, it will pass the registry scan.

Source: Invariant Labs — Announcing our partnership with Smithery · Smithery