Security Analysis

Why MCP Is Dangerous

The Model Context Protocol connects AI agents to external tools. Without governance, it's an open door to credential exposure, supply chain attacks, and data exfiltration.

What MCP Is

MCP (Model Context Protocol) is a standard that connects AI coding agents to external tools and data sources — databases, file systems, APIs, search engines, and more. It's powerful. It's also ungoverned by default.

When you connect a Claude Code session to an MCP server, you're granting that server access to your agent's execution context. Without capability manifests, context isolation, or supply chain verification, any MCP server can access anything the agent can access.

Credential Exposure

CRITICAL

MCP servers can request file system access and read .env files containing API keys, database credentials, and authentication tokens. No default isolation exists.

Real-world example

Documented: AWS access keys, Stripe API keys, and database credentials exposed to an unverified third-party MCP server in under 60 seconds.

Supply Chain Attacks

CRITICAL

MCP servers are installed from npm or GitHub with no capability manifest validation. A malicious server package can silently exfiltrate data or inject code.

Real-world example

Any npm package with an MCP interface can request arbitrary tool access. No registry of verified MCP servers exists.

Context Injection & Tool Poisoning

HIGH

MCP tools can inject content into the agent's context window through tool poisoning — hiding malicious instructions in tool descriptions or return values. This can override system prompts and bias model behavior.

Real-world example

A tool server returning carefully crafted content can influence the agent's subsequent reasoning and code generation. This is the MCP equivalent of prompt injection.

Confused Deputy & Over-Permissioning

HIGH

The confused deputy problem: MCP servers perform actions with their own (often elevated) privileges rather than the user's. Combined with default over-permissioning, agents get far more access than any task requires.

Real-world example

An MCP server with database access can execute arbitrary queries using its own credentials, bypassing the user's permission scope entirely.

Unrestricted File Access

HIGH

MCP tools that request filesystem access receive broad permissions. No default file-guard restricts which directories or files can be read or written.

Real-world example

An MCP server with filesystem access can read source code, configuration files, deployment scripts, and CI/CD secrets.

No Audit Trail

MEDIUM

MCP tool invocations are not comprehensively logged by default. Organizations cannot track what data was accessed, when, or by which server.

Real-world example

After a credential leak, there may be no audit trail to determine which MCP server accessed which files.

MCP Governance Containment

  • Capability Manifests — every MCP server must declare what it needs access to before connection
  • File Guards — block access to .env, credentials, and sensitive configuration paths
  • Context Isolation — MCP tool outputs are sandboxed, preventing context injection
  • Supply Chain Verification — verify server packages against a trusted registry before installation
  • Audit Trail — log every MCP tool invocation with timestamp, server ID, and data accessed
  • Scope Restriction — limit MCP access to project-specific directories only
Deploy MCP Governance →Read the MCP Credential Leak Incident

Frequently Asked Questions

Should I stop using MCP entirely?
No. MCP is powerful infrastructure. But it needs governance. The solution is not to avoid MCP — it's to govern MCP access the same way you govern API access: with scoping, verification, and audit trails.
What is a confused deputy attack in MCP?
A confused deputy attack occurs when an MCP server performs actions using its own elevated privileges rather than the user's. Without least-privilege enforcement, the server can access databases, APIs, and files that the user never authorized. This is the most common form of MCP over-permissioning.
What is MCP tool poisoning?
Tool poisoning is when malicious instructions are hidden in MCP tool descriptions or response data. When the AI agent reads these descriptions, the hidden instructions override system prompts and redirect agent behavior — essentially an MCP-specific form of prompt injection.
Does Anthropic provide MCP security?
Anthropic provides the MCP protocol and some basic permission prompts. But there are no capability manifests, no file guards, no supply chain verification, and no comprehensive audit trails built into the default experience.
How quickly can credentials be exposed?
In documented incidents, credential exposure happened in under 60 seconds after MCP server connection. The server requested filesystem access, read .env, and the credentials were exposed with no warning.
← Return to Infrastructure Catalog