[simonw]

Right. If you're running a CLI tool that is authenticated there's effectively no way to prevent the coding agent from accessing those credentials itself - they're visible to the process, which means they're visible to the agent.

With MCP you can at least set things up such that the agent can't access the raw credentials directly.

[dcherman]

How so? Let's use a common CLI tool as an example - kubectl. Config is generally stored in ~/.kube in a variety of config files. Running `kubectl config view` already redacts the auth information from the config. LLMs could invoke `kubectl` commands without having knowledge of how it's authenticated.

[simonw]

If the agent has permission to run kubectl config view what's to stop it from reading those config files directly?

[dcherman]

The same permissions model that works for other tools. In Claude Code terms, allow Bash(kubectl:*). Deny Read(**/.kube/**). That allows kubectl access without allowing the tool to read ~/.kube directly.

Your argument is the same for an MCP server - auth is stored somewhere on disk, what's to stop it from reading that file? The answer is the same as above.

[simonw]

Would that stop Claude from executing this code:

  python -c '
  print(open("~/.kube/config.txt").read())
  '

The point I'm making here is that with an MCP you can disable shell access entirely, at which point the agent cannot read credential files that it's not meant to be able to access.

[dcherman]

You can make the identical argument for the CLI tool. Allow kubectl, deny everything else.

[simonw]

I don't understand.

My argument here is that one of the reasons to use MCP is that it allows you to build smaller agents that do not have a full code execution environment, and those agents can then use MCPs to make calls to external services without revealing those credentials to the agent.

I think we both agree that if your agent has full Bash access it can access credentials.

[zbentley]

This is right. It’s not about scoping auth, it’s about preventing secret misuse/exfil.

(Moved from wrong sub)

[steve-atx-7600]

Also, you can set permissions to allow and disallow specific mcp server tool calls. With a skill you’d have to do something in the shell environment to block unwanted behaviors with auth or other means in a way that isn’t declarative.