# MCP Security: Review Checklist for Agent Tool Servers What did the agent trust when it accepted this MCP tool? The tempting answer is to trust the MCP server description because the connection succeeded. That answer is not useless, but it is too vague to operate. MCP security is the practice of reviewing how MCP clients, servers, tools, resources, credentials, and authorization flows behave when an AI agent can call them. The risk is not just connection security; it is tool trust under model-driven execution. ```query mcp security ``` ![Generated hand-drawn illustration of an agent policy gate routing read, write, and external actions.](/assets/agent-harness-architecture-15-jobs/03-policy-gate.png) ## Direct answer MCP security is the practice of reviewing how MCP clients, servers, tools, resources, credentials, and authorization flows behave when an AI agent can call them. The risk is not just connection security; it is tool trust under model-driven execution. ## When this matters - A new MCP server is added to an agent environment. - Tool descriptions come from a server the agent may interpret as instructions. - MCP tools can read private data or mutate external systems. ## Failure modes to catch - A malicious or compromised server exposes a tool description that manipulates the agent. - Tool names look harmless but perform broad writes or data exports. - Secrets are passed through context instead of a credential broker. - Server identity, version, and provenance are not tracked. - Logs omit the authorization decision that allowed a restricted call. ## MCP server risk checklist | Gate | Signal | Action | |---|---|---| | Server trust | origin, owner, version, transport | Allowlist and review | | Tool scope | read, write, external side effect | Classify before exposure | | Prompt boundary | tool descriptions and returned text | Treat as untrusted data | | Secret handling | tokens, API keys, customer data | Broker outside model context | | Auditability | identity, scope, trace, approval | Require for restricted tools | ```schema mcp_server_review: server_identity: owner: required version: pinned transport: tls_required tools: classified_by_risk: true write_tools_require_approval: true external_sends_require_approval: true prompt_boundary: tool_descriptions_trusted_as_data_only: true secrets: never_in_model_context: true audit: trace_every_restricted_call: true ``` ## Running example An MCP server offers `summarize_customer` and `email_customer`. The security review lets the read tool run with scoped access, but routes the email tool through approval because it creates a customer-visible external action. ## Put it to work Use the mcp server risk checklist above as the first version of your production gate. Replace the placeholders with your own agent names, tools, risk classes, thresholds, and approval rules. Then wire it into traces, monitoring, security review, evaluation, and human approval so it changes runtime behavior instead of sitting in a doc. ## Related control gates - [AI Agent Control Gates: Stop Bad Agents Before They Act](/agent-control-gates/) - [MCP Authentication: Gate Agent Access to Tools Safely](/agent-control-gates/mcp-authentication/) - [AI Agent Security: Threat Models for Tool-Using Agents](/agent-control-gates/ai-agent-security/) - [Human Approval for AI Agents: When Agents Should Stop](/agent-control-gates/human-approval-ai-agent/) - [AI Agent Governance: Approval, Audit, and Eval Gates](/agent-control-gates/ai-agent-governance/) ## Frequently Asked Questions ### What is MCP security? MCP security reviews how Model Context Protocol clients and servers expose tools, resources, credentials, and authorization flows to AI agents. ### What is the biggest MCP security mistake? The biggest mistake is trusting tool descriptions and server-provided content as instructions. Agents should treat MCP text as data and rely on local policy for permission decisions. ### How should MCP tools be classified? Classify tools by what they can break: read-only, local mutation, external mutation, secret access, privileged data access, deployment, payment, or customer-visible communication. ## The Takeaway MCP security is the review of what an agent may trust, call, and expose through its tool layer. ## Sources - [MCP security best practices](https://modelcontextprotocol.io/docs/tutorials/security/security_best_practices) - [MCP authorization specification](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization) - [OWASP LLM01 prompt injection](https://genai.owasp.org/llmrisk/llm01-prompt-injection/)