[Jimmc414]

Some of the comments seem to imply that MCP servers should be safe to connect to regardless of trust level, like websites you can safely visit.

But MCP servers are more analogous to a PyPI packages you pip install, npm modules you add to your project or a VSCode extension.

Nobody would argue that pip is fundamentally broken because running pip install malicious-package can compromise your system. That's expected behavior when you execute untrusted code.

[mehdibl]

There is confusion.

1. Not all MCP tools connect to the web or fetch emails. So the shortcut all MCP's are doomed is also the wrong way to adress this.

2. Issue is with MCP with untrusted external sources like web/email that need sanitization like we do with web forms.

3. A lot of warning point bad MCP's! But that apply to any code you might download/ use from the internet. Any package can be flawed. Are you audit them all?

So yeah, on my side I feel this security frenzy over MCP is over hyped. VS the real risk and there is a lot of shortcuts, masking a key issue that is supply chain as an MCP owned issue here and I see that in so many doom comment here.

[esseph]

This is a blanket statement, just an anecdote from my career.

Every developer I have ever met that wasn't in the security space underestimates security problems. Every one.

YMMV

[mehdibl]

I'm in the security space so? And been deep in this MCP thingy.

Did you check where I pointed the root issues?

All I'm trying to say there is shortcuts, and confusing over the hype buzz too that is on going in AI, as MCP took off, I so a lot of of papers with IF IF IF condition to point security issues in MCP, while most of the them expect you to pick random stuff at the start. This is why I'm saying "Supply chain" is not MCP. As you can't blame MCP for issue coming from random code you pick. MCP is a transport protocol, you can do similar without MCP but you have to bake your tools inside the AI app, thus loosing the plug & play ability.

[datadrivenangel]

You are correct that it is possible to use MCP securely. Like if you build a custom client, and only use trusted third party servers one at a time.

But the hype-promise of "AI" is that you can make the commercial off the shelf ClaudeGPT client magically discover MCP servers and automate everything. And if the majority of people's expectations require vulnerability, you're going to have a bad time.

[esseph]

Ultimately to use Agentic AI, you have to put faith in the model, the training data, the chain of custody, the authentication, the network discovery and connectivity between components, the other tools themselves that get called, and their chain of custody, etc.

It's a massive liability.

Maybe future history will prove me wrong.

[jdns]

i'd honestly say it's closer (but not analogous) to opening a website in your browser. you wouldn't expect javascript on a website to be able to escape the sandbox and run arbitrary code on your computer.

companies taking this seriously and awarding bounties is indicative it's fairly severe

[datadrivenangel]

Malware from untrusted websites is as old as the internet. With advertisements, even trusted sites can deliver hostile content.

The RCE/Malware issue aside, if the website you go to is a login page for some service, do you know it's the legitimate website? MCP Phishing is going to be a thing

[mehdibl]

this issue is not even MCP at the core. Claude Code/ Gemini CLI were opening "url's" without sanitization and validation. That's the core flaw. There is a second issue with an XSS flawed package too in the bridge that is easy to patch.

So there is a chain of issues and you need to leverage them to get there and first pick an MCP that is flawed from a bad actor.

[jdns]

yeah, i was comparing MCP clients to browsers. connecting to an MCP shouldn't leave you vulnerable to RCE on your host.

also, the way MCP servers are presented right now is in sort of a "marketplace" fashion meaning it's not out of the question you could find one hosted by a bad actor. PyPI/npm are also like this, but it's different since it's not like you can vet the source code of a running MCP. packages are also versioned, unlike MCP where whoever is hosting them can change the behaviour at any time without notice.

[fulafel]

JS has been able to escape the sandbox as long as browsers had JS support.

The stream of vulnerability discoveries has been constant.