177,000 MCP Tools Analyzed: Software Dev Is 90% of Agent Downloads — and Agents Are Acting More, Not Just Reading
For sixteen months, researchers from the UK AI Security Institute and the University of Oxford tracked every public MCP server repository across GitHub, PyPI, npm, Docker Hub, and HuggingFace — cataloging 177,436 agent tools in the process. The findings move the conversation about agentic AI deployment from speculation to measurement.
Software development dominates the landscape by a wide margin: it accounts for 67% of all agent tools catalogued and 90% of MCP server downloads. But the more consequential finding isn't which domain agents are being built for — it's what agents are being built to do within that domain. In November 2024, action tools (those that directly modify external environments: editing files, running commands, executing transactions, sending communications) made up 27% of total tool usage. By February 2026, that figure had risen to 65%. Agents are moving decisively from reading and reasoning to acting, and that shift is already the measurable present, not a projected future.
The paper uses this trajectory to argue for a specific policy response: effective oversight must extend beyond model outputs to the tool layer itself. Monitoring what a model says is insufficient when the real risk is in what the agent is structurally permitted to do. The 27%→65% action-tool shift gives that argument empirical grounding that general claims about "agentic risk" lack.
For engineering teams building or auditing agentic systems, the practical takeaway is that tool-level governance is no longer a future-looking concern — it's a present-tense engineering requirement that the industry is already behind on addressing.