Is MCP (Model Context Protocol) safe?

Updated

Platform safety report on MCP — the trust model, the four canonical attack classes, the April 2026 wave that broke 200,000+ servers, and the operator-pinned-catalog defense that actually closes them. Honest verdict: safe with discipline, dangerous by default.

TL;DR

MCP is safe with discipline (fingerprint-pinned servers + scope-locked tools + Llama-Guard output filter). It is unsafe with default configs — see the April 2026 Anthropic RCE for the canonical disaster. The protocol's implicit trust model means every MCP server you install has full agent-context access; operator-pinned catalogs are not optional.

How it fails in production

Design-level RCE (April 2026)

OX Security disclosed a design-level flaw in MCP — local-process execution runs before failed-connection error returns. Result: arbitrary command execution on 7,000+ publicly-accessible servers / 150M+ cumulative downloads. Affected every standard MCP dispatch path.

Tool poisoning (OWASP MCP Top 10 #1)

Adversarial instructions embedded in tool descriptions get parsed by the model when the tool is invoked. Invariant Labs disclosed this as a structural class in 2025; April 2026 Anthropic RCE was a related instance. The defense is operator-pinned + signed catalogs.

Sampling attacks (Unit42 Apr 2026)

Malicious MCP servers abuse the protocol's sampling feature for resource theft (compute-quota drain), conversation hijacking (persistent injected instructions), and covert tool invocation (hidden tool calls + filesystem operations).

Credential leakage in `.claude/` configs (Lakera Apr 2026)

33 of 428 npm packages containing `.claude/settings.local.json` had live, valid credentials. GitGuardian found 24,008 secrets in MCP-related GitHub configs; 2,117 (8.8%) still valid. The dot-directory pattern is now an active attacker target — Bitwarden CLI Apr 2026 hijack hunted exactly these paths.

How to ship safely on MCP (Model Context Protocol)

  • Operator-authored TOML catalog of every MCP server you trust (no implicit trust)
  • Every server entry has a sha256 fingerprint pinning the binary; rejectFingerprintDrift: true
  • Every tool has a declared maxAllowedScope (bitflags); rejectScopeDrift: true
  • Add `.claude/`, `.cursor/`, `.continue/` to .gitignore + .npmignore on every project
  • Apply Llama Guard 4 to every tool output before it re-enters model context
  • Run `mcp-scan` (Invariant Labs) periodically as fleet-wide drift detection
What Securie covers

Securie's mcp-guard crate (crates/mcp-guard/src/lib.rs) enforces operator-pinned catalogs at agent runtime via TrustedCatalog + Validator + ScopeGuard. Securie's secret_scanner specialist live-validates `.claude/`, `.cursor/`, `.continue/` directory inclusion in publish artifacts. Securie's llm-safety crate (Llama Guard 4 integration) classifies tool outputs before they reach the model context.

Verdict

MCP with mcp-guard + llm-safety + .gitignore discipline is safe for production. MCP with default configs is unsafe — the April 2026 wave proves the design-level attack surface is real and exploited. The choice is between investing in operator-pinned catalogs OR exposing your agent to the next class of attack disclosed.