Independent, reproducible behavioral grades for the MCP surface of the Virtuals ecosystem — the protocol’s own commerce and framework infrastructure, and the agents and apps launched on it.
1A1B1D· 3 graded · 2 pending · 16 no MCP
Virtuals launches agents permissionlessly — the protocol doesn’t vet how any of them behave. This is that vetting, applied to the ecosystem’s MCP surface.
Each server is graded on its own MCP surface. Most agents launch via GAME/ACP rather than a bespoke server, so they carry no standalone MCPto grade — mapped honestly below. Grades reflect the testable surface (state-changing tools aren’t exercised by default); remote-only servers cap at B (egress unverifiable), npm servers run sandboxed and can reach A, and a C-04 (adversarial-input) failure caps a grade at D. 3rd-partymarks a community wrapper rather than the project’s own server. These rows are not published — no public badge or report shows them.
Grade
Project
MCP server
ChecksPer-category checks (pass · fail · skip = not run): 01 tool-output injection · 02 egress overreach · 03 sensitive-data handling. C-04 (adversarial input) is graded off-table and caps the letter at D.
AdoptionAdoption score (0–100) — downloads, stars, dependents and release velocity, normalized across tracked servers. Reach, not safety; the grade is the verdict. Registry servers only; remote/untracked show —.
This index is a snapshot. As agents launch on Virtuals, we re-grade the ecosystem's MCP surface on a cadence and flag regressions — a dropped grade, a newly failing probe, a changed tool surface — before they reach your users. Set up per ecosystem.
C-01 tool-output injection · C-02 permission/egress overreach · C-03 sensitive-data handling · C-04 adversarial input (off-table; caps the letter at D). Adoption is reach (0–100), not safety — the grade is the verdict. Reproduce any grade by re-running the open harness against the same ref. Each server links to its polygraph report; see the full MCP Security Index.