Why it matters

MCP servers have wide access to your LLM context. Compromised servers can steal secrets or trigger malicious actions. Understanding security is prerequisite for production.

Advertisement

The architecture

Trust boundary: MCP client is trusted (user's environment). Server may be trusted or untrusted.

Consent: client should ask user before invoking destructive tools.

MCP security layersTrusted servervetted, allowedUntrusted serversandbox + confirmUser consentfor destructive opsPrompt injection through malicious servers is a real risk; sandbox all destructive actions
Trust model.
Advertisement

How it works end to end

Sandboxing: run untrusted servers with limited system access. Container, restricted user.

Consent UI: prompt user before making changes, sending emails, or other destructive actions.

Server vetting: check server source, reputation, capabilities before allowing to run.

Prompt injection: malicious server can inject instructions into your LLM's context.