Threat model
Malicious MCP server: rogue tool responses, injection in returned data. Compromised MCP client: tool calls attacker-controlled.
Advertisement
Server authentication
MCP over stdio: no network auth. MCP over SSE/HTTP: OAuth + API key. Verify server identity.
Advertisement
Injection via tool output
MCP tool returns text → LLM reads as context. Tool output attacker-controlled = indirect injection.
Least privilege
Each MCP server has scoped capabilities. Don't grant global file access to email MCP.