What is MCP (Model Context Protocol)?
An open protocol — pioneered by Anthropic in 2024 — that standardises how AI agents discover, call, and dispatch external tools. As of April 2026, MCP runs on 200,000+ servers with 7,000+ public + 150M+ cumulative package downloads.
Full explanation
MCP defines a JSON-RPC interface between an AI agent (the client) and a tool provider (the server). The server publishes a catalog of tools with descriptions + input schemas; the agent reads the catalog, decides which tool to call based on the user's task, and dispatches over JSON-RPC. The trust model is implicit — the agent treats the server's catalog as authoritative. This implicit trust is the source of every MCP attack class disclosed in 2025-2026: tool poisoning (Invariant Labs), rug-pulls (post-install catalog mutation), sampling attacks (Unit42), and the design-level RCE (OX Security April 2026).
Example
A Claude Desktop config: `{"mcpServers": {"github": {"command": "npx", "args": ["-y", "@modelcontextprotocol/server-github"]}}}`. The `npx` command spawns the GitHub MCP server; Claude reads the server's tool catalog (search-repos, read-file, list-issues) and dispatches calls when the user asks "show me the issues on my repo".
Related
FAQ
Why is MCP different from a REST API?
Two reasons. First, the agent dispatches calls based on natural-language reasoning — there's no human in the loop validating each call. Second, every tool's response feeds back into the model context, which means any data a tool returns can become an instruction the agent acts on (indirect prompt injection). REST APIs don't have either property.
Is MCP safe to use in production?
Yes, with discipline — operator-pinned fingerprints + scope locks (an MCP trust-enforcement layer) + Llama-Guard 4 output filtering. Without that discipline, the April 2026 wave shows the design-level RCE + tool poisoning + rug-pull patterns are routine. See the /safe/is-mcp-safe-to-use page for the full assessment.