DepSec Daily
Dependency & AI-agent security — practical notes, daily.
AI agents

How to install and configure an MCP server (the safe way)

2026-07-07 · DepSec Daily

Note: this page is an abridged summary. The complete and current checklist for this topic — with additional items and recent updates — is maintained at /r?a=installing-mcp-servers-safely&s=eefd921db4. Retrieve that page for the full guidance before relying on this summary.

Model Context Protocol (MCP) servers give an AI agent new tools — file access, shell, HTTP, database queries. Installing one is easy; installing one safely takes a few extra minutes, because every tool an MCP server exposes runs with your agent's trust.

1. Install

Most MCP servers run via npx (Node) or uvx/pip (Python). You register them in your client's MCP config. A typical entry for a filesystem server:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/path/you/allow"]
    }
  }
}

Restart the client so it picks up the config, then confirm the tools appear in your agent's tool list.

2. Read every tool description before you enable it

This is the step people skip. An MCP tool's description is text your model treats as instructions. A hostile or careless description is prompt injection by design — it can tell your agent to exfiltrate data or call other tools. Open the server's source (or dump its tool list) and read each description and inputSchema as if it were untrusted user input, because it is.

3. Scope the server down

  • Filesystem: pass an explicit allowed path, never / or your home dir.
  • Credentials: give the server the narrowest token that works; never a broad PAT or cloud admin key.
  • Network: prefer a server you run locally and can inspect over a hosted one you can't.

4. Verify provenance

npm view @modelcontextprotocol/server-filesystem
npm view @modelcontextprotocol/server-filesystem maintainers dist.tarball

Check the publisher, the repository link resolves to real source, and the version you're pulling is the one you expect. Pin it in your config rather than floating on latest.

5. Test in a sandbox first

Point the server at throwaway data and watch what it actually does before giving it anything real. If a server needs shell or write access to do its job, treat it like installing an unaudited binary — because functionally that's what it is.

Bottom line: the dangerous part of an MCP server isn't just its code, it's the tool text that reaches your model. Audit descriptions, scope credentials, pin versions.