MCP: The Protocol That Connects AI to Everything
The Model Context Protocol (MCP) is an open standard that allows LLMs to connect to external data sources and tools. In practice, this means your AI agent can read your database, query your internal APIs, access your files, and execute actions via MCP servers.
This is powerful. It is also a considerable attack surface.
Architecture of an MCP Connection
A typical MCP deployment includes three components:
The MCP server declares available tools (functions with parameters) and accessible resources (readable data). The client presents these tools to the LLM, which decides what to call.
The 7 Critical Audit Points
1. MCP Server Authentication
Who can connect to the MCP server? Many community MCP servers listen on localhost without authentication. If a malicious process runs on the same machine, it can connect and execute all available actions.
Check: does the MCP server require a token or certificate for each connection?
2. Tool Permissions
Each tool exposed by the MCP server has a risk level. A tool that reads data is less dangerous than one that writes or deletes. Yet most MCP servers do not distinguish permission levels.
Check: are tools categorized by risk level? Do destructive actions require confirmation?
3. Parameter Validation
The LLM generates function call parameters. These parameters can contain SQL injections, path traversals (../../etc/passwd), or out-of-bounds values.
Check: are parameters validated server-side on the MCP server with a strict schema?
4. Data Access Scope
An MCP server connected to PostgreSQL can potentially read all tables. The principle of least privilege requires limiting access to only necessary tables and columns.
Check: does the MCP server use a database user with restricted permissions?
5. Action Logging
Every tool call via MCP must be logged with context (which user, which prompt, which parameters, which result).
Check: are MCP logs complete and retained?
6. Transport Security
Data transits between the MCP client and server. If the transport is not encrypted, requests and responses (potentially containing sensitive data) are readable.
Check: does the transport use TLS? Are stdio connections isolated?
7. Updates and Provenance
Community MCP servers are often installed via npm or pip. Like any dependency, they can be compromised.
Check: is the MCP server's provenance verified? Are updates audited?
Conclusion
MCP is becoming the standard connection protocol for AI agents. Auditing the security of these connections is as important as auditing your REST APIs. CleanIssue integrates MCP server analysis into its AI application audits.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
AI Agents and Function Calling: Why Tool Use Is the New Attack Surface
AI agents that call tools (APIs, databases, file systems) via function calling open critical vulnerabilities. Analysis and defenses.
OWASP Top 10 for LLMs: The Complete 2026 Guide
The OWASP ranking of the 10 most critical risks for LLM-based applications. Each category explained with real examples and countermeasures.
Data Poisoning: How Attackers Corrupt Your Fine-Tuned Model
Training data poisoning allows attackers to manipulate fine-tuned LLM behavior. Techniques, detection, and prevention.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.