What is MCP (Model Context Protocol)?
A specification for how LLM agents discover and call tools — file operations, HTTP requests, database queries, git commands. MCP servers host tool catalogues; LLM agents read the catalogue and invoke tools. The new attack surface for AI applications.
Full explanation
MCP was published by Anthropic in late 2024 and adopted across the LLM ecosystem in 2025-2026. An MCP server hosts a catalogue of tools with input schemas; an LLM agent reads the catalogue, decides which tools to call (often based on user input), and the server executes them. The risk: every tool the LLM can call is a potential attack capability when the LLM's input is attacker-controlled (prompt injection). The defense is structural — pin the tool catalogue, scope every tool to its safe surface, never trust the LLM's tool-arguments without an explicit policy check.
Example
An MCP server with a `read_file` tool that takes any path passed by the LLM. A prompt-injection attack inside user input coerces the LLM into calling `read_file('/etc/passwd')` or `read_file('~/.ssh/id_rsa')`. The fix is bounding the path to a workspace root + verifying the resolved path stays inside the root + extension allowlist on the result.
Related
FAQ
Is MCP secure by default?
No — the protocol does not mandate scope guards on tools. The MCP server author is responsible for tool-level scope enforcement. Many community MCP servers ship without scope guards; treat them as untrusted until you audit the tool surface.
How is MCP risk different from prompt-injection risk?
Prompt injection is the input vector; MCP tool-call execution is the output capability. Without tool surfaces, prompt injection is bounded to text manipulation. With tool surfaces, prompt injection can read filesystems, exfiltrate data, send emails, charge cards. MCP scope-guarding is what prevents the bounded-input from becoming unbounded-output.