~/blog/guide/mcp-security
MCP and security
What you give away when you give an agent tools. On the supply chain, hardening and the incidents already on record.
What this guide covers
MCP is how an agent reaches beyond its chat window: files, databases, your terminal, remote services. Every one of those connections is exactly what makes the work valuable, and at the same time a door you are propping open. This cluster is about those doors: what fits through them, who else knows they exist, and how to close them without throwing the tooling away.
To be clear, I use MCP every day and my own workflow leans on it heavily. That is exactly why I take the weak spots seriously. If you dismiss the protocol as hype, none of this concerns you. If you actually work with it, all of it does.
What you are actually handing an agent
Start with the basic question: what can an agent do with the permissions you give it? Usually more than you assumed. Censys found thousands of MCP servers open on the internet, and an open MCP server is worse than an open database explains why that is no exaggeration: a database leaks data, a tool server executes. These are lessons the industry learned for databases fifteen years ago and is now learning again.
The supply chain
The second layer is where your servers come from. The MCP supply chain is the new npm is the overview piece: a config-to-command RCE in every official SDK, poisoned registries, and an ecosystem replaying the npm playbook at double speed. And the playbook is in active use. In they moved your version, someone rewrites hundreds of existing git tags to point at malicious code without ever publishing a new release. Your lockfile stops helping you at that point.
Audits and hardening
Then the hands-on part. How to vet an MCP server is the checklist I run myself: who actually publishes it, what the tool descriptions say to the model, which permissions it asks for. For the most sensitive case, an agent near your data, giving Claude safe access to your SQL database shows how to do it with SELECT-only access, query validation and field redaction. The pattern is always the same: constrain permissions at the system level, because a rule in a prompt is a suggestion and a wall is a guarantee.
The incidents are already here
None of this cluster is theoretical. Nobody was driving documents the first recorded intrusion executed by an agent on its own, from CVE to drained database. And attackers now target agents explicitly: even the malware is AI slop covers an npm package that went straight for Claude's working directory. The agent is the most trusting, most credentialed process on your machine. Attackers have noticed.
Where this touches what you build
Security starts before there is anything to patch, with the question whether a server should exist at all. Every server you don't run is attack surface you don't have to defend. That is why build an MCP server, then ask if it should exist belongs to this guide as much as to agentic coding: the cheapest hardening is a tool list that stays short.
Below are three starting points, then everything I have written on this topic, newest first.
Best entry points
- The MCP supply chain is the new npm, and it is already poisoned
The big picture: how a young ecosystem is repeating every old supply chain mistake, faster.
- How to vet an MCP server before you install it
The practical checklist. What to inspect before a server is allowed into your tool list.
- An open MCP server is worse than an open database
Why an unsecured MCP server gives away more than an open database ever did.
All articles in this topic
How to give Claude safe access to your SQL database
A practical guide to giving an AI agent database access without losing sleep: SELECT-only mode, query validation, field redaction before rows reach the model, SSH tunnels and audit logging.
How to vet an MCP server before you install it
A pre-install security checklist for MCP servers: who really publishes it, what the tool descriptions tell your model, what it can reach, and why you should pin the version. Ten minutes that would have saved three hundred organisations.
The off-switch works both ways now
Mythos 5 came back from its June shutdown, but only to about a hundred vetted institutions. GPT-5.6 launched onto the same list from day one. The switch that pulled access in June now decides who gets it in the first place.
An open MCP server is worse than an open database
Censys found 12,500 MCP servers on the public internet and 40% accept unauthenticated requests. We spent fifteen years learning not to expose databases. MCP re-ran the whole mistake in eighteen months, except this endpoint has verbs.
The MCP supply chain is the new npm, and it is already poisoned
A config-to-command RCE is baked into every official MCP SDK: 7,000+ servers, 150M+ downloads, and Anthropic calls it expected. The npm playbook just found your agent tool list.
The Ferrari has a limiter: a day with Claude Fable 5
Anthropic shipped its most powerful public model yesterday, then flagged the exact work I needed it for and routed it to a weaker one. A day with Fable 5, the benchmarks, the bill, and the limiter nobody asked for.
The friction was the feature: Microsoft just handed an agent your inbox
At Build 2026 Microsoft made Windows the agent platform: OpenClaw in the OS, and Work IQ giving agents your email and calendar, on by default, GA June 16. An agent that reads your inbox and acts on your files is the dream payload for prompt injection. The friction everyone wants gone was a safety feature.
Nobody was driving: the first breach run by an agent, not a person
Sysdig caught an LLM agent driving a full intrusion, CVE to exfiltrated database, four pivots, under an hour, with no human typing a single command. Our defences assume someone is on the other end. That assumption just expired.
They just asked the bot nicely: your support agent is the attack surface
Pro-Iran hackers seized the Obama White House and US Space Force Instagram accounts by talking Meta's AI support bot into resetting passwords. No exploit, no CVE. Just a conversation with a system that cannot be suspicious.
ThePrimeagen was right
He warned that AI tools atrophy your critical judgment. Then his followers ran a poisoned command from a tweet without reading it. He was right.