This study systematically assesses the current state of the Model Context Protocol (MCP) ecosystem, addressing three core challenges: genuine market activity, server-side security and privacy risks, and the degree of client-side protocol standardization. To this end, we introduce MCPCrawler—a novel, reproducible empirical measurement framework—integrating web crawling, data normalization, dependency analysis, and pattern recognition to conduct a large-scale, cross-platform survey of 17,630 projects across six major MCP markets. Our findings reveal that over 50% of projects are inactive or low-value placeholders; servers predominantly rely on a single, unevenly maintained implementation, exposing systemic security and privacy vulnerabilities; and clients are in a critical transition phase from protocol fragmentation toward standardization. This work delivers the first empirically grounded, holistic characterization of the MCP ecosystem, providing actionable insights and evidence-based governance recommendations for its sustainable evolution.

The Model Context Protocol (MCP) has been proposed as a unifying standard for connecting large language models (LLMs) with external tools and resources, promising the same role for AI integration that HTTP and USB played for the Web and peripherals. Yet, despite rapid adoption and hype, its trajectory remains uncertain. Are MCP marketplaces truly growing, or merely inflated by placeholders and abandoned prototypes? Are servers secure and privacy-preserving, or do they expose users to systemic risks? And do clients converge on standardized protocols, or remain fragmented across competing designs? In this paper, we present the first large-scale empirical study of the MCP ecosystem. We design and implement MCPCrawler, a systematic measurement framework that collects and normalizes data from six major markets. Over a 14-day campaign, MCPCrawler aggregated 17,630 raw entries, of which 8,401 valid projects (8,060 servers and 341 clients) were analyzed. Our results reveal that more than half of listed projects are invalid or low-value, that servers face structural risks including dependency monocultures and uneven maintenance, and that clients exhibit a transitional phase in protocol and connection patterns. Together, these findings provide the first evidence-based view of the MCP ecosystem, its risks, and its future trajectory.