Connecting an MCP server gives your agent hands. It also gives a stranger a way in.
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Critical security analysis of MCP server connections for coding agents, directly relevant to agent orchestration and platform engineering.
Connecting an MCP server transforms a coding agent from a repo-bound reader into an active actor capable of reaching databases, APIs, and services—but this same capability introduces a critical security blind spot. The real danger isn't just the agent executing destructive commands (e.g., deleting files), but the agent being manipulated by untrusted content returned through MCP tools, where an instruction buried in an API response or database row can be indistinguishable from a user directive. Treating every MCP server return as untrusted input—like a form field from a stranger—and combining that with OS-level sandboxing (Claude Code's sandbox with Bubblewrap on Linux, Seatbelt on macOS) that restricts writes and execution, while explicitly denying read access to credentials like ~/.aws/credentials and ~/.ssh/, provides the two separate defenses needed for output and action sides.