Why it matters
MCP servers have wide access to your LLM context. Compromised servers can steal secrets or trigger malicious actions. Understanding security is prerequisite for production.
Advertisement
The architecture
Trust boundary: MCP client is trusted (user's environment). Server may be trusted or untrusted.
Consent: client should ask user before invoking destructive tools.
Advertisement
How it works end to end
Sandboxing: run untrusted servers with limited system access. Container, restricted user.
Consent UI: prompt user before making changes, sending emails, or other destructive actions.
Server vetting: check server source, reputation, capabilities before allowing to run.
Prompt injection: malicious server can inject instructions into your LLM's context.