The Expanding Reach of AI: A Tool-Use Explosion

by

Author: Denis Avetisyan

A new analysis of over 177,000 AI agent tools reveals a rapidly growing ‘action space’ and raises critical questions about the future of autonomous systems.

The geographic distribution of downloads for action-capable Python packages-analyzed across 6.73 million instances from 528 servers-reveals concentrated activity in North America and Western Europe, with a notable shift in share observed during the latter half of 2025, suggesting evolving patterns of dependency and localized growth within the broader AI ecosystem.
The geographic distribution of downloads for action-capable Python packages-analyzed across 6.73 million instances from 528 servers-reveals concentrated activity in North America and Western Europe, with a notable shift in share observed during the latter half of 2025, suggesting evolving patterns of dependency and localized growth within the broader AI ecosystem.

Research utilizing the Model Context Protocol (MCP) demonstrates the diverse capabilities and emerging risks of increasingly sophisticated AI agents.

Despite the growing promise of automating tasks across the economy, a comprehensive understanding of how AI agents are currently deployed remains elusive. This paper, ‘How are AI agents used? Evidence from 177,000 MCP tools’, addresses this gap by analyzing a large dataset of agent tools built using the Model Context Protocol (MCP), revealing a rapidly expanding ‘action space’ and a significant shift towards tools capable of directly modifying external environments. Our analysis of over 177,000 tools demonstrates that software development currently dominates agent usage, yet ‘action’ tools-those with the potential for consequential impacts-rose dramatically over the study period. As these agents become increasingly autonomous, how can governments and regulators effectively monitor and mitigate the risks associated with this evolving landscape?

The Expanding Web: Agents and the Illusion of Control

Large language models (LLMs) are the engines driving the current surge in artificial intelligence agent capabilities, yet these agents are fundamentally limited by the knowledge and actions embedded within the models themselves. To transcend these boundaries, AI agents increasingly depend on external tools – specialized software and APIs that extend their reach into the real world and broaden their cognitive abilities. This reliance isn’t a weakness, but rather a core architectural principle; agents leverage tools for everything from accessing current information and performing complex calculations to controlling physical devices and interacting with online services. Consequently, an agent’s effectiveness is often determined not by the sophistication of the LLM, but by the breadth, quality, and seamless integration of its tooling ecosystem, enabling it to perceive, reason, and act beyond its pre-programmed constraints.

The functionality of modern AI agents is intrinsically linked to their ability to leverage a vast and growing toolkit. These agents, powered by large language models, aren’t self-sufficient; they require external tools to perceive the world, perform complex reasoning, and ultimately take effective action. This dependence has spurred the rapid development of a complex ecosystem, currently boasting 177,436 publicly available AI agent tools as of February 2026. This expansive landscape includes everything from web search and data analysis APIs to specialized instruments for image recognition, code execution, and even physical robotic control, creating a dynamic, interconnected web where an agent’s potential is directly proportional to the breadth and quality of tools at its disposal.

The rapid expansion of AI agent tooling, now exceeding 177,436 publicly available options, presents a significant operational challenge. Simply identifying and cataloging these tools is a monumental task, but more pressing is the need to understand their functionalities, interdependencies, and potential vulnerabilities. As agents increasingly rely on this diverse ecosystem to perform complex tasks, securing the operational landscape becomes paramount; a compromised or malfunctioning tool can introduce cascading errors or create security breaches that undermine the entire agent’s performance. This necessitates robust methods for tool vetting, ongoing monitoring, and the development of standardized security protocols to ensure reliable and trustworthy AI agent operation, moving beyond mere tool availability to effective management and oversight.

Analysis of monthly tool downloads from PyPI and NPM between November 2024 and January 2026 reveals increasing adoption of AI agent tools for action (red), reasoning (blue), and perception (grey), with an asymptotic convergence model [latex]y(t)=L-(L-y_0)e^{-kt}[/latex] indicating a potential saturation point [latex]L[/latex] with 95% confidence intervals, validated by human experts and based on the assumption of one server installation equaling one tool use.
Analysis of monthly tool downloads from PyPI and NPM between November 2024 and January 2026 reveals increasing adoption of AI agent tools for action (red), reasoning (blue), and perception (grey), with an asymptotic convergence model [latex]y(t)=L-(L-y_0)e^{-kt}[/latex] indicating a potential saturation point [latex]L[/latex] with 95% confidence intervals, validated by human experts and based on the assumption of one server installation equaling one tool use.

Deconstructing Capability: A Taxonomy of Agent Actions

Agent Tool Classification establishes a framework for organizing tools into three primary functional categories: perception, reasoning, and action. Perception tools facilitate data acquisition from the environment, providing agents with sensory input. Reasoning tools enable agents to process information, draw inferences, and make decisions based on available data. Action tools allow agents to directly interact with and manipulate their environment. This categorization is not mutually exclusive; a single tool may incorporate functionalities from multiple categories. The systematic classification enables focused analysis of agent capabilities and facilitates the identification of specific tool strengths and weaknesses based on their primary function.

Automated Tool Analysis employs computational techniques, including machine learning and natural language processing, to efficiently categorize agent tools. These methods analyze tool metadata, code repositories, and associated documentation to identify key characteristics such as function, input/output types, and dependencies. This allows for the processing of large volumes of tools – exceeding manual capacity – and enables scalable identification of tool attributes. The process yields quantitative data on tool features, facilitating comparative analysis and trend identification within the agent tool ecosystem, and ultimately accelerating the categorization process beyond what is achievable through manual inspection.

Systematic categorization of agent tools, combined with automated analysis, provides quantifiable insight into evolving agent capabilities and associated security implications. Recent data indicates a substantial increase in the prevalence of action tools – those designed to directly affect an environment – now accounting for 65% of total tool downloads. This represents a significant shift from earlier observations within the study period, where action tools comprised only 27% of downloads. This trend suggests a growing focus on agents capable of performing tasks and interacting with systems, potentially expanding the attack surface and necessitating increased vigilance regarding tool functionality and associated vulnerabilities.

Analysis of 177,000 Machine Capability Provision (MCP) tools from GitHub and Smithery, classified by generality, impact, and task domain using a human-validated LLM and [latex]O\*NET[/latex] and US CAISI taxonomies, reveals a growing trend in AI-coauthored tools-demonstrated by increasing cumulative counts and server downloads-with a concentration in action-oriented, general-purpose tools impacting medium-to-high stakes occupations, as indicated by exponential fits and WLS convergence analyses.
Analysis of 177,000 Machine Capability Provision (MCP) tools from GitHub and Smithery, classified by generality, impact, and task domain using a human-validated LLM and [latex]O\*NET[/latex] and US CAISI taxonomies, reveals a growing trend in AI-coauthored tools-demonstrated by increasing cumulative counts and server downloads-with a concentration in action-oriented, general-purpose tools impacting medium-to-high stakes occupations, as indicated by exponential fits and WLS convergence analyses.

Mapping the Infrastructure: Ghosts in the Machine

MCP Servers function as intermediary programs enabling AI Agent operation by hosting the necessary tools and managing interaction with target environments. These servers are characterized by their lightweight architecture, designed for efficient deployment and resource utilization. They provide a standardized interface for agents to access functionalities, abstracting the complexities of the underlying environments. This architecture supports a diverse range of tools, facilitating agent tasks such as data retrieval, code execution, and API interaction. The use of MCP Servers allows for modularity and scalability, enabling the easy addition or removal of tools as agent requirements evolve.

Comprehensive data collection from platforms such as GitHub and Smithery is critical for identifying MCP Servers and mapping the infrastructure utilized by AI Agents. This process involves analyzing code repositories, identifying tool dependencies, and tracking server deployments to construct a detailed overview of the agent’s operational environment. The collected data allows for the visualization of connections between agents, servers, and the tools they employ, enabling a comprehensive understanding of the agent’s capabilities and potential interactions. Furthermore, this mapping facilitates security assessments and the identification of potential vulnerabilities within the agent’s infrastructure.

MCP servers facilitate AI agent operation within both constrained and unconstrained environments, directly influencing the agent’s operational scope and potential access. Constrained environments typically involve predefined parameters and limited interaction, while unconstrained environments allow broader access and functionality. Current data indicates a significant preference for tools operating in unconstrained environments, with 50% of all tool downloads associated with general-purpose tools designed for these less restricted operational spaces. This suggests a trend toward agents requiring greater flexibility and broader access to resources and systems.

A weighted least squares quadratic regression ([latex]R^2 = 0.97[/latex]) reveals a significant monthly increase (+4.10 percentage points, 95% CI [+3.55, +4.65]) in the share of newly published servers co-authored with AI, largely driven by Claude which accounts for 69% of these AI-assisted creations.
A weighted least squares quadratic regression ([latex]R^2 = 0.97[/latex]) reveals a significant monthly increase (+4.10 percentage points, 95% CI [+3.55, +4.65]) in the share of newly published servers co-authored with AI, largely driven by Claude which accounts for 69% of these AI-assisted creations.

The Architecture of Failure: Systemic Risk in the Age of Agents

The increasing reliance on AI Agents and their associated tools is creating a complex web of interconnected dependencies, fundamentally altering the landscape of potential system failures. This interconnectedness introduces systemic risk, meaning a vulnerability within a single tool or Agent component isn’t isolated; it can cascade rapidly throughout the entire system. Consider a widely-used data parsing library – a flaw discovered within it could simultaneously compromise numerous Agents reliant on that library, creating widespread disruption. This propagation isn’t limited to software; compromised data sources or malicious tool updates can similarly affect many Agents. The challenge lies in the fact that identifying these vulnerabilities before they’re exploited requires comprehensive monitoring and a deep understanding of the intricate relationships between each Agent and its tools-a task made significantly harder by the sheer scale and rapid evolution of the AI ecosystem.

The pace of innovation in AI agent tooling is being dramatically reshaped by artificial intelligence itself, leading to a surge in new tool development but also introducing novel systemic risks. Current data, as of February 2026, indicates that a substantial majority – 62% – of newly created Minimal Configuration Package (MCP) servers now exhibit evidence of AI assistance in their creation. This suggests a rapidly evolving landscape where AI is not merely utilizing tools, but actively generating them, significantly accelerating the rate of change and potentially embedding unforeseen vulnerabilities within the infrastructure. While this AI-assisted creation promises increased efficiency and broader access to sophisticated functionalities, it simultaneously expands the attack surface and necessitates more robust methods for verifying the safety and reliability of these automatically generated components.

Mitigating the systemic risks inherent in increasingly complex AI agent tooling demands a shift towards proactive system oversight and a granular understanding of the underlying infrastructure. Current data reveals a highly concentrated usage pattern – the top 1% of servers account for a substantial majority of downloads on key package repositories, specifically 79.3% on NPM and 42.9% on PyPI. This concentration highlights potential single points of failure and emphasizes the need for rigorous classification of tools, continuous monitoring for vulnerabilities, and a deeper analysis of dependencies within these heavily utilized servers. Responsible AI deployment isn’t simply about individual tool security, but rather about comprehending the interconnectedness of the entire ecosystem and actively addressing the amplified risks posed by this concentrated usage.

Analysis of AI agent action tools mapped to various occupations reveals a weak correlation ([latex]R^{2}\approx 0.03[/latex], p=0.015) between occupational stakes-as rated by employees-and tool availability, with a concentration of tools in high-stakes, computer-based roles.
Analysis of AI agent action tools mapped to various occupations reveals a weak correlation ([latex]R^{2}\approx 0.03[/latex], p=0.015) between occupational stakes-as rated by employees-and tool availability, with a concentration of tools in high-stakes, computer-based roles.

The study of these 177,000 tools reveals a landscape less of deliberate construction and more of emergent growth-a sprawling action space where capabilities accrue through interaction, not design. This echoes a fundamental truth: systems aren’t built, they’re grown. As the research demonstrates, each new tool added to this ecosystem introduces unforeseen consequences and expands the potential for both benefit and risk. It’s a process akin to seeding a garden; one cannot predict the exact form the growth will take. As David Hilbert observed, “In every mathematical discipline, there is a certain mysterious harmony of fundamental principles.” This harmony, or lack thereof, becomes apparent only through rigorous examination of the system’s evolution-a constant cycle of observation and adaptation as the ecosystem matures and reveals its inherent complexities.

The Horizon Beckons

The cataloging of this expanding action space – seventeen thousand tools, and counting – feels less like a victory of understanding and more like a careful charting of a coastline disappearing into mist. Each new capability, each integration, is a promise made to the past: a belief that the problems these tools address will remain static, that the context will not shift. But systems do not obey such linearity. The very act of building, of defining an ‘action space’, prefigures its inevitable incompleteness.

The current focus on agent monitoring – on attempting to impose control through service level agreements – is a comforting ritual. Control is, of course, an illusion. The real work lies not in preventing failure, but in cultivating resilience. Every dependency is a promise made to the past, and every complex system contains the seeds of its own correction. The emergent risks aren’t bugs to be fixed; they are symptoms of a system adapting, evolving beyond its initial design.

It is not enough to simply enumerate what these agents can do. The question is not ‘what actions are possible?’, but ‘what new forms of self-organization will arise as the action space becomes impossibly large?’. Everything built will one day start fixing itself – the challenge is to understand what ‘fixed’ will look like, and whether it will resemble anything we intended.

Original article: https://arxiv.org/pdf/2603.23802.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-03-26 07:46