Is MCP safe to use in production?

Updated
Short answer

MCP is safe with discipline: fingerprint-pinned servers + scope-locked tools + Llama Guard 4 output filtering. Without that discipline, the April 2026 Anthropic RCE (200,000+ servers / 7,000+ public) + GitGuardian's 2,117 valid leaked credentials show that default MCP usage is not safe.

MCP went from 0 to 200,000+ servers in 9 months. The protocol's trust model is implicit (agent treats server's catalog as authoritative), and the April 2026 wave revealed the cost: design-level RCE on 7,000+ public servers, tool poisoning as OWASP MCP Top 10 #1, and 2,117 live credentials in 24,008 GitGuardian-detected MCP-config files.

Safe production usage requires: operator-authored TOML catalog with sha256 fingerprints, per-spawn fingerprint validation, ScopeGuard-enforced max-allowed-scope per tool, output sanitization + Llama Guard 4 on every tool response. Securie's mcp-guard + llm-safety crates implement this layered defense.

See /safe/is-mcp-safe-to-use for the full assessment with mitigations.

People also ask

What is MCP tool poisoning?
MCP tool poisoning is an attack where adversarial instructions are embedded inside tool descriptions in an MCP server's
How do I prevent MCP prompt injection?
Three layers: pre-prompt-output sanitization, scope-bounded egress (only operator-allowed hosts), and Llama Guard 4 clas
Do I need MCP-guard software?
If you run any MCP servers in production, yes. The April 2026 design-level RCE affected 200,000+ servers and the protoco