The Agentic Web Has No Safety Layer. Major Labs Is Building One.

Editor's note: Major Labs was founded by this publication's founder, Charlie Major, and operates independently of Major Matters and of his employer. We are covering it because the gap it addresses is one we have returned to repeatedly, and we think readers deserve the disclosure alongside the analysis.

The public registries list more than 38,000 model context protocol servers, the small programs that let an AI agent reach out and do something in the world. Major Labs scanned every one it could find. Roughly 1,200 are genuinely usable.

That number is the problem in miniature. The agentic web is being assembled at speed, the catalogs are filling up, and almost no one is checking what sits behind the listings. The plumbing is going in faster than anyone is measuring it, and far faster than anyone is securing it.

Major Labs is one response. It is an independent studio that makes open-source primitives for the agentic web. Not a product company, not a startup chasing a round. A small workshop that ships the boring, load-bearing pieces the ecosystem is missing and gives them away.

The infrastructure is ahead of the demand, and the safety layer is behind both.

The gap it is built around

We write about this intersection every week, and over months of coverage the same shape keeps appearing. A new agent protocol ships. A processor adopts it. A demo goes live. Underneath each announcement sits a set of questions no one has answered: who is allowed to do what, what actually happened, and whether any of it can be trusted.

We named that gap in our coverage of the agentic AI security reckoning, and again when we looked at how thin the evidence trail behind agent actions really is. Naming a gap is useful. Filling it is harder.

Major Labs is the attempt to fill a small part of it. Rather than wait for a vendor to build the missing layer, the studio builds pieces of it in public, with the code open so anyone can check the work or take it.

The bet is narrow. The agentic web will need a few primitives that no single company is incentivized to own: a way to constrain what an agent may do, a way to prove what it did, and an honest measure of the ground it all stands on. Those are not products. They are closer to public works.

What the agentic web actually is

A short definition, because the term gets used loosely.

The model context protocol, or MCP, is an open standard introduced by Anthropic in late 2024. It lets an AI agent connect to external tools and data, a calendar, a payment rail, a customer database, through a common interface. Before MCP, every agent integration was bespoke. After it, a tool built once can be called by many agents.

That standardization is why the agentic web is growing so quickly. It is also why the risk is growing quickly. A common interface for agents to take real actions is, by definition, a common interface for things to go wrong at scale. An agent that can read your inbox and move money is useful right up to the moment it is convinced to do the wrong thing. The industry has been candid that prompt injection, the attack that turns an agent against its own instructions, is nowhere close to solved.

The protocol is the easy part. Governing what flows across it is the hard part.

What it has built

Major Labs has shipped three tools so far. All are open source under a permissive license and live on its GitHub. None is finished. Each addresses one of the questions above.

MandateKit answers "who is allowed to do what." It lets a developer issue an agent a signed, scoped mandate: this agent may spend up to this amount, call these tools, for this long, and nothing else. The mandate is cryptographically signed and checked before any action runs. If the signature is wrong or the scope does not cover the request, the action fails closed. It is a seatbelt for autonomy.

mcp-scanner answers "what is actually out there." It catalogs the public MCP ecosystem from the source, then publishes the result as open data. This is where the 38,000 figure comes from, and where it falls apart under inspection.

WitnessKit answers "what actually happened." It produces a tamper-evident record of an agent's actions, a hash-chained, signed log that cannot be quietly edited after the fact. When an agent does something costly or contested, the question is always the same: can you prove what it did? Most systems cannot. This tries to let them.

A mandate before the action, a witness after it, and an honest map of the ground in between.

Who it serves

The first users are developers building agents who need to put limits on them before shipping. A scoped mandate is a more credible answer to a security review than a paragraph of good intentions.

The second are the risk, compliance, and security teams who inherit these systems. They need an audit trail that holds up when something goes wrong, not a best-effort log that can be rewritten after the incident.

The third is the wider field. The open dataset behind mcp-scanner exists for anyone making a decision about MCP: a platform team picking what to support, a researcher studying ecosystem health, a writer who would rather cite a real number than a registry's marketing figure.

The honest caveat, which the studio makes itself, is the stage. These are primitives, not polished products, and there are close to no users yet. They are out early because building in the open is the stated point, not a launch tactic. Whether that openness attracts contributors or just sits as published code is the open question for any project like this.

The measurement gap, in numbers

The clearest thing Major Labs can show today is the dataset, because it makes the gap concrete.

Across four sources, the public registries advertise more than 38,000 distinct agent tools. The official MCP registry, the authoritative one, lists roughly 11,000. The scanner pulled 2,468 in depth, fetching the underlying code and history for each. Of those, about 1,881 had been touched in the last six months. Around 1,200 are what the studio calls genuinely evaluable: maintained, documented well enough to assess, and not an abandoned experiment.

So the headline figure overstates the real, working ecosystem by an order of magnitude. One catalog auto-indexes anything that looks vaguely relevant and reports tens of thousands. The maintained core is a fraction of that. Neither number is secret. They simply had not been placed side by side.

The full breakdown, the methodology, and the raw data sit at majorlabs.co/data, updated every week. The caveats are published next to the figures, which is the part we find most credible. A measurement no one can check is just another marketing number.

Where it is going

The near-term plan is unglamorous and deliberate.

Next is spend control. An agent with a payment credential and a vague instruction is a budget incident waiting to happen, so a primitive that caps and meters agent spending is the next thing on the list.

The dataset compounds on its own. Every weekly scan adds a point to a record of how the ecosystem is changing, and a longitudinal series cannot be reconstructed after the fact. The value is in starting it now and never missing a week. A year from now, the question of whether the agentic web is actually maturing or just inflating will have an evidence base instead of a vibe.

The longer arc is to turn a handful of separate tools into a coherent, auditable safety layer that a builder can adopt without having to trust the people who made it, because the code and the cryptography are open to inspection. Independence is doing real work in that sentence. The studio is not tied to this publication or to any employer, and the tools are useful only if that stays true.

How to work with it

This is the part the studio means literally. The work is open because it wants company.

Developers building agents can take the tools, file issues, and report where they break. Real use is worth more than any roadmap. Researchers can use the dataset freely; an honest, co-authored read of the ecosystem is more valuable to Major Labs than a guarded spreadsheet. Registries and platforms can talk to it about cross-referencing data and agreeing on what "active" and "maintained" should even mean, because the numbers improve when more people check them.

The most useful contribution, by the studio's own account, is being told a primitive is wrong. Open source is the fastest way to be corrected early. The contact details sit at majorlabs.co.

The agentic web is going to get built either way. The open question is whether the layer that keeps it honest gets built alongside it or years too late. A studio willing to be wrong in public is a reasonable place to start, and worth watching to see whether the code earns the users it has not yet found.

If the agentic web will run on tools almost no one has checked, who do you want holding the measuring tape, and what would make you trust the number?

Charlie Major is a Product Development Manager at Mastercard. The views and opinions expressed in Major Matters are his own and do not represent those of Mastercard.