MCP Security: Review Checklist for Agent Tool Servers
What did the agent trust when it accepted this MCP tool?
The tempting answer is to trust the MCP server description because the connection succeeded. That answer is not useless, but it is too vague to operate. MCP security is the practice of reviewing how MCP clients, servers, tools, resources, credentials, and authorization flows behave when an AI agent can call them. The risk is not just connection security; it is tool trust under model-driven execution.
Direct answer
MCP security is the practice of reviewing how MCP clients, servers, tools, resources, credentials, and authorization flows behave when an AI agent can call them. The risk is not just connection security; it is tool trust under model-driven execution.
Data note
When this matters
- A new MCP server is added to an agent environment.
- Tool descriptions come from a server the agent may interpret as instructions.
- MCP tools can read private data or mutate external systems.
Failure modes this page should catch
- A malicious or compromised server exposes a tool description that manipulates the agent.
- Tool names look harmless but perform broad writes or data exports.
- Secrets are passed through context instead of a credential broker.
- Server identity, version, and provenance are not tracked.
- Logs omit the authorization decision that allowed a restricted call.
MCP server risk checklist
| Gate | Signal | Action |
|---|---|---|
| Server trust | origin, owner, version, transport | Allowlist and review |
| Tool scope | read, write, external side effect | Classify before exposure |
| Prompt boundary | tool descriptions and returned text | Treat as untrusted data |
| Secret handling | tokens, API keys, customer data | Broker outside model context |
| Auditability | identity, scope, trace, approval | Require for restricted tools |
Running example
An MCP server offers summarize_customer and email_customer. The security review lets the read tool run with scoped access, but routes the email tool through approval because it creates a customer-visible external action.
Copy the working template
Use the mcp server risk checklist above as the v1 artifact for this page. Replace the placeholders with your own agent names, tools, risk classes, and thresholds, then link the result back into your monitoring, tracing, security, and evaluation gates.
How this connects to the control-gates library
- AI Agent Control Gates: Stop Bad Agents Before They Act
- MCP Authentication: Gate Agent Access to Tools Safely
- AI Agent Security: Threat Models for Tool-Using Agents
- Human Approval for AI Agents: When Agents Should Stop
- AI Agent Governance: Approval, Audit, and Eval Gates
Frequently Asked Questions
What is MCP security?
MCP security reviews how Model Context Protocol clients and servers expose tools, resources, credentials, and authorization flows to AI agents.
What is the biggest MCP security mistake?
The biggest mistake is trusting tool descriptions and server-provided content as instructions. Agents should treat MCP text as data and rely on local policy for permission decisions.
How should MCP tools be classified?
Classify tools by what they can break: read-only, local mutation, external mutation, secret access, privileged data access, deployment, payment, or customer-visible communication.
The Takeaway
MCP security is the review of what an agent may trust, call, and expose through its tool layer.