[Nilithus]

I don’t think that’s really fair. They are highlighting some pretty serious security flaws in MCP tools that are allowed to do some pretty privileged things.

They don’t even mention their product till the very last section. Overall think it’s an excellent blog post.

[charcircuit]

>They are highlighting some pretty serious security flaws

It's just a rehash of the same inherit flaw of LLMs.

[Tokumei-no-hito]

that's reductive. this is effectively a disclosure. do you consider every disclosure write up an "ad" for the security researcher?

[raincole]

I do if their "mitigation" looks like this:

> 1 · Deploy an MCP Guard (three-command setup)

> A guardrail can help protect every tool call with a protective layer that blocks malicious or out-of-policy instructions in real time. Here is how to install the GA MCP guard which is open-source and requires no billing.

> $ pip install generalanalysis # install the guard

> $ ga login # browser-based auth

> $ ga configure

> MCP Guard protection enabled

[Tokumei-no-hito]

great point. sorry i didn't realize it was reaching out to their servers. that's no longer equivalent to an open patch.

[Tokumei-no-hito]

so if a security researcher comes up with a free open source patch which, presently, is the only available solution then they should just keep that to themselves?

it's an evolving field. if anthropic doesn't have a solution should we just not do anything?

[raincole]

What this "open source patch" does is to set up a proxy server on your machine and route your requests to their server first for moderation.

Do I really need to explain why this is a bad idea? Honestly this post should be flagged by HN as phishing attempt, if anything. (But it won't, as this company is YC-backed...)

> if anthropic doesn't have a solution should we just not do anything?

A solution to what? This article describes a theoretical scenario where a theoretical user misuses a system. If you give LLM tool some permissions, it would do things that are permitted but probably not expected by you. It's a given.

It's like asking Amazon to have a "solution" for users who posts their AWS access tokens online.

The real problem here is the very existence of Stripe MCP. It's a ridiculous idea. I'm all for raising awareness of that, but it's not an excuse to fearmonger readers into adding yet another AI tool onto their tech stack.