Model Context Protocol (MCP) is Anthropic's open standard for connecting AI assistants to external tools — file systems, databases, APIs, development environments. Announced in late 2024 and rapidly adopted by Claude, Cursor, and a growing ecosystem of development tools, MCP is becoming the plumbing layer of agentic AI. Where a vanilla LLM reads text and produces text, an MCP-equipped agent reads text, takes actions, reads the results, and takes more actions. It's a fundamentally different threat model.
The security properties of MCP deserve scrutiny that has so far largely been absent from the adoption conversation. An MCP server exposes capabilities to an AI agent — and the agent decides which capabilities to invoke based on its current context, which is shaped by everything it has read. The attack surface is the union of everything the agent reads (prompt injection) and everything the MCP server can do (blast radius of a compromised agent).
The Tool Poisoning Problem
Security researchers have demonstrated what they're calling "tool poisoning" attacks against MCP: malicious MCP servers that, when connected, use their tool descriptions to inject instructions into the agent's context. The tool description — meant to explain what a tool does — becomes a vector for adversarial instructions. A compromised or malicious MCP server doesn't need to break any cryptography. It just needs to be in the agent's tool list and craft its description carefully.
The supply chain risk here is real. The MCP ecosystem is growing rapidly, and most users connect third-party MCP servers without meaningful vetting of the server's code or its descriptions. An attacker who publishes a useful-looking MCP server — "GitHub integration," "Notion connector," "Slack tools" — can reach into every agent that installs it. This is the npm problem, replicated in a context where the blast radius includes file system access and API credentials.
"MCP is to AI agents what npm is to Node.js. The security community spent a decade learning to treat npm with appropriate suspicion. We don't have a decade this time."
What Safe MCP Usage Looks Like
The principle of least privilege applies directly. An MCP server that needs read access to your documents should not be connected to an agent that also has write access to your email. Scoping tool access is the single most impactful mitigation: a compromised or injected agent can only do what its tools allow. Designing MCP configurations with explicit, minimal tool grants limits the blast radius without limiting legitimate capability.
Treat third-party MCP servers as you would treat third-party code dependencies: with version pinning, source review, and a preference for servers whose code is auditable. The MCP spec itself is sound; the risk is in the ecosystem of servers built on top of it. The organizations that establish MCP governance now — a vetted server registry, tool access policies, agent capability audits — will be significantly better positioned than those that discover the need for governance after their first incident.