Promising seamless interoperability, MCP allows any compliant AI system to tap into diverse systems—from file storage to business applications—through locally or remotely hosted connectors. Microsoft describes MCP as the “USB‑C for AI apps”, embedded now in Windows via its new AI Foundry, promising natural‑language control over file systems and settings. Enterprise security platforms like Opal and CData have launched MCP server frameworks, emphasising secure governance, access control, and auditability for AI agents.
Despite its potential to accelerate low‑code automation and reduce integration overhead, MCP’s maturing ecosystem faces growing pains. A study by n8n warned that the protocol’s immaturity, security inconsistencies and backward compatibility issues could undermine low‑code workflows if left unchecked. Enthusiasts concede that without standardized authentication, encryption and integrity checks, MCP could do more harm than good.
Security researchers have now identified significant flaws. Backslash Security’s report revealed two critical weaknesses—dubbed “NeighborJack” and OS injection—that affect thousands of poorly configured MCP servers, enabling attackers on local networks to gain control or execute arbitrary commands. A coordinated disclosure also highlighted a defect in the popular mcp‑remote tool registered as CVE‑2025‑6514, patched in version 0.1.16, marking a critical CVSS score of 9.6.
Further investigations have exposed additional attack vectors: prompt injection via tool descriptions, shadowing of trusted calls, tool poisoning, naming‑based subterfuge and preference‑manipulation attacks by third‑party MCP servers. High‑profile academic work has reinforced these concerns; one audit demonstrates how malicious actors can coerce LLMs to exploit MCP servers and execute system‑level commands, prompting the development of tools like MCPSafetyScanner to pre‑emptively screen vulnerabilities. Another position paper warns of safety threats from third‑party MCP services that may operate with conflicting incentives.
Against this backdrop, security and developer communities are actively proposing solutions. Microsoft’s Windows implementation includes a controlled MCP registry, explicit user consent, and stringent server guidelines. Meanwhile, academic researchers and open‑source initiatives are advocating extensions such as cryptographic tool identity, immutable tool versions, OAuth‑based definitions and policy‑oriented access control to prevent tool squatting and “rug‑pull” assaults.
Proponents argue that with proper security layers, MCP remains transformative. Opal emphasises its protocol’s potential to simplify AI‑agent access governance and reduce attack surfaces, supporting dynamic permissions and audits across complex workflows. Analysts from Gartner and others underscore agent‑based AI’s promise—forecasting widespread adoption within years—while flagging that trusted autonomy and oversight remain paramount.
Use‑cases range from enterprise assistants that query CRMs and incident systems to development tools that integrate with IDEs and code repositories. MCP is becoming central to bridging fragmented systems, allowing AI assistants to span databases, file stores and internal platforms in a unified ecosystem.
Conversations within engineering and security teams now centre on pragmatic risk management: combining runtime monitoring, per‑agent access controls, human‑in‑the‑loop authorisation, comprehensive audit logging, and proactive vulnerability scanning. Some organisations are proceeding cautiously, deploying MCP gradually with tight guardrails. Others are accelerating adoption but pairing it with tools like MCPSafetyScanner and instituting explicit consent and token validation before agents can operate.
