Risks in turning AI chatbots into AI agents (privacyinternational.org)

AI chatbots are being turned into autonomous “agents” by giving them connectors—most notably via the Model Context Protocol (MCP)—that let models call tiny, pluggable services to read and write your calendars, files, emails and third‑party accounts. MCP standardizes tool-like operations (e.g., “retrieve event”, “create event”) and uses context streaming and microservices to handle multiple providers, simplifying integration and boosting utility in products like ChatGPT and Claude. Technically, MCP separates credentials from tools, but still exposes sensitive data and expands the attack surface beyond traditional APIs. That expansion is the problem: connectors combine app‑permission style consent with full third‑party access, and consent fatigue makes users likely to grant broad, persistent permissions. Known attack vectors—prompt injection, malicious files or calendar invites—have already shown how a connected file or invite can manipulate an agent to leak emails or other secrets. Industry fixes so far (watch modes, user confirmations, prompt‑injection monitors) push the burden onto users and UIs, which is unrealistic and insufficient. The takeaway for AI/ML practitioners and product teams: MCP-like tooling is powerful but unsafe by default—secure-by-design mitigations, clearer responsibility models, and hardened prompt‑injection defenses are essential before widespread agent deployment.