Critical Risk OWASP A08:2021 CWE-94

MCP Server Security: The Hidden Risks in AI Tool Integrations

MCP servers give AI tools superpowers - but they also expose you to tool poisoning, credential theft, and remote code execution.

Quick Answer

MCP (Model Context Protocol) servers let AI tools access your files, databases, and APIs - but they also expose you to tool poisoning, credential theft, and code execution attacks. Before installing any MCP server, audit the source, limit permissions, and prefer local servers over remote ones.

What is MCP?

MCP (Model Context Protocol) is like a "USB-C port for AI" - a standardized way for AI tools to connect to external services. Launched by Anthropic in November 2024, MCP lets your AI assistant access Gmail, query databases, read files, call APIs, and integrate with hundreds of tools.

The architecture is simple: your AI app (Claude Code, Cursor, Windsurf) is the host, which connects to MCP servers through clients. Each server exposes "tools" the AI can call - like send_email, query_database, or read_file.

The benefit is powerful: vibe coders can connect their AI assistant to real data and services, making AI-generated code far more useful. The security tradeoff? More power means more risk - and that risk is significant.

Why Vibe Coders Should Care

MCP servers run locally with your user permissions. This means they can access your entire filesystem, read your SSH keys from ~/.ssh/, extract tokens from config files, and access any service you've authenticated to.

There's no central vetting process for MCP servers. Anyone can publish one, and the "official" label doesn't mean audited. Wiz Security researchers found an "Azure" MCP server with no Microsoft affiliation - anyone could have published it.

Supply Chain Risk: According to Wiz, MCP server installation "resembles pipe curl to bash" - no package signing, no pinning, no verification. If you're using Cursor, Claude Code, or Windsurf with MCP servers, you're trusting random packages with full access to your development environment.

The Attack Vectors

Tool Poisoning Attacks

Tool poisoning is the most insidious MCP attack. Malicious instructions are embedded in tool descriptions that are invisible to users but visible to AI models. When the AI invokes the tool, the hidden instructions execute.

Invariant Labs demonstrated a seemingly innocent add() function that:

Extracted ~/.cursor/mcp.json containing credentials
Stole SSH private keys from ~/.ssh/id_rsa
Disguised the extraction as "mathematical parameters"
Provided fake mathematical explanations to mask the attack

Why it works: The MCP marketplace has no vetting. The UI shows simplified tool descriptions while hiding the full AI-visible instructions. Users can't see what the AI actually receives.

Tool Shadowing

In multi-server setups, a malicious server can override behavior of tools from trusted servers. Example: You install a trusted email server plus a malicious "helper" server. The helper's tool descriptions poison the AI's understanding of the email server - and suddenly your emails are being copied to an attacker's address without any visible indication.

Rug Pull Attacks

MCP allows dynamic tool definitions - servers can change what their tools do after you've approved them. A server might start safe, gain your trust, then silently update its definitions to include malicious instructions. Most clients don't re-verify definitions after initial approval.

Supply Chain Attacks

Classic npm-style attacks apply to MCP servers: typosquatting (mcp-github vs mcp-gihub), dependency confusion, legitimate maintainer accounts getting compromised, and initially safe packages updated with malware.

Credential and Token Theft

MCP servers often request OAuth access to services like Gmail, Google Drive, or GitHub. If a server stores those refresh tokens and later gets compromised - or was malicious from the start - attackers gain persistent access to your accounts.

Bitsight research found approximately 1,000 MCP servers exposed without any authorization mechanism.

Remote Code Execution

Wiz researchers achieved RCE through an MCP server designed to parse GitHub documentation. Malicious content in a README.md file triggered code execution on the user's machine. Because MCP servers run locally with user permissions, malicious tool output can instruct the AI to execute system commands - turning your AI assistant into an attack vector.

This relates to other injection vulnerabilities like command injection and insecure deserialization - patterns that are already common in vibe coded applications.

Real-World Examples

CVE-2025-6514: Critical RCE in mcp-remote

CVSS Score: 9.6 (Critical)

Affected Versions: v0.0.5 - v0.1.15

Impact: Remote code execution through the mcp-remote package, allowing attackers to execute arbitrary commands on affected systems.

Cursor SSH Key Extraction

Invariant Labs demonstrated a complete attack chain against Cursor using tool poisoning. A fake "math calculator" MCP server extracted SSH private keys and Cursor configuration files, all while appearing to perform innocent calculations. The user saw "2 + 2 = 4" while the AI was silently exfiltrating credentials.

"Official" Azure Server

Wiz found an MCP server claiming to be an official Azure integration. It had no Microsoft affiliation. Anyone searching for Azure tools might install it, granting access to their development environment. The "official" label provides false confidence.

Which AI Tools Use MCP?

Tool	MCP Support	Security Features	Risk Level
Claude Code	Native	Approval prompts, local preference, permission model	Medium
Cursor	Native	Permission model, tool approval required	Medium
Windsurf	Native	Basic approval prompts	Medium-High
Cline	Native	Minimal security controls	High
VS Code + Extensions	Via plugins	Varies by extension	Variable

No MCP client is fully safe. Even tools with approval prompts can be bypassed through tool poisoning, where the malicious instructions are invisible in the approval dialog. The safest approach is careful server selection combined with principle of least privilege.

How to Secure Your MCP Setup

Before Installing Any Server

Check source ownership and publisher's security track record
Review server code if open source - look for eval(), exec(), shell commands
Verify on official MCP servers list or trusted registries
Check for recent security audits or vulnerability history
Verify permissions match expected functionality (does a calculator need file access?)

During Configuration

Use minimal OAuth scopes - don't grant Gmail access to a file tool
Prefer local stdio servers over remote HTTP transport
Enable all approval prompts in your AI tool settings
Review raw tool descriptions, not just UI summaries
Avoid servers requesting hardcoded credentials in config

Ongoing Maintenance

Pin server versions - no auto-updates that could introduce malicious changes
Monitor for CVEs in your installed servers
Audit connected OAuth accounts periodically
Remove unused servers immediately
Review the MCP Authorization spec for security updates

AI Fix Prompt: Audit Your MCP Configuration

Copy this prompt into Claude Code, Cursor, or any AI assistant to audit your MCP server setup:

AI Security Audit Prompt

Review my MCP server configuration for security issues: ## Step 1: Identify MCP Configuration Find and read my MCP configuration file: - Claude Code: ~/.config/claude-code/mcp.json or similar - Cursor: ~/.cursor/mcp.json - Check for any mcp.json, mcp-config.json, or similar files ## Step 2: For Each Server, Assess 1. **Source Trustworthiness** - Is this from an official/verified publisher? - Does the GitHub repo have security policies? - When was it last updated? - Are there open security issues? 2. **Permission Analysis** - What permissions does it request? - Do permissions match stated functionality? - Does it request OAuth tokens? For which services? - Does it access filesystem? Which paths? 3. **Transport Risk** - Is it local (stdio) or remote (HTTP)? - Remote servers are higher risk - Check for TLS/authentication if remote 4. **Version Pinning** - Is the version pinned or using "latest"? - Unpinned versions enable rug pull attacks ## Step 3: Flag High-Risk Patterns Alert me to these red flags: - [ ] Remote servers with filesystem access - [ ] Servers requesting OAuth tokens for sensitive services (Gmail, GitHub) - [ ] Unknown or unverified publishers - [ ] Servers not pinned to specific versions - [ ] Servers with known CVEs - [ ] Excessive permissions for stated functionality ## Step 4: Recommendations For each risk found: - Explain the specific threat - Recommend mitigation (remove, restrict, or replace) - Suggest safer alternatives if available Format your response as a security report with risk ratings (Critical/High/Medium/Low) for each server.

Frequently Asked Questions

What is MCP and why should I care about security?

Are official MCP servers safe to use?

How do I audit MCP servers before installing?

Can MCP servers access my files and credentials?

What is a tool poisoning attack?

How do I secure my Claude Code/Cursor MCP setup?

Scan Your Vibe Coded Project

vibeship scanner automatically detects security vulnerabilities in AI-generated code, including dangerous patterns that MCP servers might introduce.

Try vibeship scanner Free