Threat model

Malicious MCP server: rogue tool responses, injection in returned data. Compromised MCP client: tool calls attacker-controlled.

Advertisement

Server authentication

MCP over stdio: no network auth. MCP over SSE/HTTP: OAuth + API key. Verify server identity.

Advertisement

Injection via tool output

MCP tool returns text → LLM reads as context. Tool output attacker-controlled = indirect injection.

Least privilege

Each MCP server has scoped capabilities. Don't grant global file access to email MCP.