Connecting an MCP server hands your agent new capabilities that run with real permissions. Treat it like adding a dependency that has network and credential access — because it does.
Tool descriptions are prompt
The single most overlooked risk: an MCP tool's description is text your model obeys. A
hostile description is prompt injection with no exploit required. Read every tool's description and input
schema before enabling the server.
Provenance and scope
- Confirm who publishes the server and that its source is public and reviewable.
- Scope credentials to least privilege; never hand an unaudited server broad tokens.
- Prefer local, inspectable servers over remote ones you can't examine.
Ongoing hygiene
- Re-verify provenance on every version bump, not just first install.
- Keep an allowlist of trusted publishers and pin to it.
- Log and review tool/dependency changes in CI; prefer signed releases where available.
The exposure isn't only code execution — it's that tool text steers the model. Audit descriptions, scope credentials, pin versions.