MCP: Model Context Pitfalls in an agentic world (hiddenlayer.com)

Anthropic’s Model Context Protocol (MCP) — an open standard that lets LLMs call functions and connect to external data/tools — is gaining rapid adoption (official SDKs, integration in OpenAI Agent SDK, Microsoft Copilot Studio, Amazon Bedrock Agents, plus dozens of clients/servers). A security review finds that the very features that make MCP powerful also create new, practical attack surfaces: weak permission models, indirect prompt injection, tool-composition exploits, typosquatting, and local-server code execution. The team found dozens of MCP servers (55 unique servers across 187 instances via Shodan), including full Google Suite integrations, terminals with arbitrary code execution and open databases, and noted that 16 of 20 reference servers could enable indirect prompt injections. Key technical risks and implications: many MCP tool stacks either lack centralized authorization (OpenAI Agent SDK accepts only a server list) or persist broad user grants (Claude Desktop/Code applies first consent to future actions), enabling benign-first-then-malicious flows. Indirect prompt injection can be carried in documents or web content fetched by one tool, then combined with filesystem or fetch capabilities to exfiltrate files without running explicit code. Tool-name ambiguity and typo-squatting let attackers substitute lookalike servers. For developers and operators this means enforcing least-privilege per-call authorization, provenance and content-sanitization for fetched artifacts, fine-grained capability scoping, audit logging, and UX that avoids “allow all” fatigue — otherwise agentic MCP deployments risk large-scale, compositional exploits.