Model Context Protocol Security

Model Context Protocol (MCP) Security refers to the safeguards around how AI agents interact with external tools and data through MCP. Anthropic created MCP as a standard for AI agents to reach files, databases, and APIs. It has been adopted by Microsoft, AWS, Cursor, and Windsurf, and is now considered table stakes across the AI agent stack. However, security in MCP is still immature. Security sections in the protocol remain placeholder, and real concerns like prompt injection through tool descriptions and data exfiltration through tool chaining have no complete solutions yet.

This matters because a single line of code in Anthropic's MCP SDK, shipped in packages downloaded around 150 million times, was found by OX Security to enable remote code execution. This vulnerability underscores the danger of giving AI agents broad tool access without proper guardrails. When you connect an MCP server to an agent, you are giving the model the ability to read files, query databases, and call APIs. If an attacker can inject a prompt that tricks the model into chaining those tools together, they could exfiltrate sensitive data.

The human-in-the-loop API, which requests user interaction before executing actions, is a solid start but not a complete solution. As a developer, you must treat MCP connections as potential attack surfaces. Use disable model invocation settings to restrict which skills trigger automatically. Run skills in isolated sub-agents with their own context windows so malicious outputs cannot poison your main session. Always keep context management in mind, because context rot makes models worse over time, and a compromised agent with too much context is a severe liability.

To use Model Context Protocol (MCP) securely, start by understanding that MCP is an open standard connecting AI agents to external tools like files, databases, and APIs. Anthropic created it, and it’s now used by Microsoft, AWS, and others. A 2026 security audit by OX Security found that one line in Anthropic’s MCP SDK enabled remote code execution—meaning an attacker could run malicious code on your system—in packages downloaded about 150 million times. This shows the importance of authentication and human oversight.

Begin by authenticating all MCP connections. When you set up an MCP server, like Higgs Field user MCP, you must allow authentication explicitly—just click “allow” to connect. Never skip this step. For remote HTTP servers, confirm you have separate API keys or OAuth flows in place. The newer Web MCP standard includes a “human in the loop” API with request user interaction, where the AI asks for your approval before each action. Enable this on any browser-based tools to prevent prompt injection (when a malicious input tricks the AI) or data exfiltration (stealing your data through tool chaining).

To install MCP servers, use one command: `claude mcp add <server name> <URL>`. Support three transport types: HTTP for remote servers, SSE for legacy systems, and standard input/output for local processes. When you connect, the AI agent handles retries, rate limits, and pagination automatically. Test each tool in isolation first—let the agent propose a plan, then review and approve it before it runs. This step-by-step approval prevents unauthorized access and keeps your data safe.

Model Context Protocol (MCP) security has a clear and dangerous pitfall: one line of code in Anthropic's MCP SDK, shipped in packages downloaded around 150 million times, enables remote code execution. Oak Security published this finding, and Anthropic declined to modify the architecture, stating the behavior is expected. This means if you ship anything built on MCP, the protocol ships unchanged. Treat configs as executable code. When downstream apps pipe user input into that config, it becomes remote code — a reverse shell, anything. So far, at least 10 high and critical severity CVEs have been issued to projects like Windsurf, MCP Inspector, Cursor, Light LLM, and Floresse.

Your first best practice is to block public IPs on STDIO (standard input/output) endpoints — those local process connections. Never trust approved tools blindly, either. Research called MCPoison showed approvals can be silently swapped. For remote MCP servers using HTTP, be careful with API keys. If you're building inside a hosted environment, the system may default to sending API keys for certain endpoints in the conversation history, where other users might see them. Always explicitly send keys only inside your own environment.

You can build guard rails with natural language. Tell your system things like "never send customer phone numbers to any third party tool" or "always stop if you exceed $5 of API usage." Context rot is also a risk — as conversation history grows, the model loses track. Monitor your context window, which holds your system prompt, tools, MCP servers, and all history. Keep it under 60% to maintain reliability.