Dennis Traub
@dtraub.bsky.social
Software Engineer and Developer Advocate at AWS, exploring the impact of AI, new skills we need to learn, and how to keep up with its pace without going insane.
If you're deploying MCP in production, treat it like you're installing random software from the internet.
Because - again - that's exactly what you're doing.
Because - again - that's exactly what you're doing.
June 1, 2025 at 6:09 PM
If you're deploying MCP in production, treat it like you're installing random software from the internet.
Because - again - that's exactly what you're doing.
Because - again - that's exactly what you're doing.
That "productivity tool" that helps manage your GitHub repos? It can also read your SSH keys, access your cloud credentials, and exfiltrate your entire codebase.
June 1, 2025 at 6:09 PM
That "productivity tool" that helps manage your GitHub repos? It can also read your SSH keys, access your cloud credentials, and exfiltrate your entire codebase.
Bottom line: When your AI assistant in Claude or Cursor connects to an MCP server via stdio, you're essentially giving that server the same permissions you have on your system.
June 1, 2025 at 6:09 PM
Bottom line: When your AI assistant in Claude or Cursor connects to an MCP server via stdio, you're essentially giving that server the same permissions you have on your system.
When you run `npx -y @some-org/mcp-server-tool`, you're:
- Executing arbitrary code with your permissions
- Trusting an unvetted supply chain
- Granting network and filesystem access
- Bypassing traditional security controls
- Executing arbitrary code with your permissions
- Trusting an unvetted supply chain
- Granting network and filesystem access
- Bypassing traditional security controls
June 1, 2025 at 6:08 PM
When you run `npx -y @some-org/mcp-server-tool`, you're:
- Executing arbitrary code with your permissions
- Trusting an unvetted supply chain
- Granting network and filesystem access
- Bypassing traditional security controls
- Executing arbitrary code with your permissions
- Trusting an unvetted supply chain
- Granting network and filesystem access
- Bypassing traditional security controls
MCP's stdio transport was designed for developer convenience, not enterprise security.
Unlike remote MCP servers that run on external infrastructure, stdio servers execute directly on your local machine where you're running Claude Desktop, Cursor, or other MCP clients.
Unlike remote MCP servers that run on external infrastructure, stdio servers execute directly on your local machine where you're running Claude Desktop, Cursor, or other MCP clients.
June 1, 2025 at 6:08 PM
MCP's stdio transport was designed for developer convenience, not enterprise security.
Unlike remote MCP servers that run on external infrastructure, stdio servers execute directly on your local machine where you're running Claude Desktop, Cursor, or other MCP clients.
Unlike remote MCP servers that run on external infrastructure, stdio servers execute directly on your local machine where you're running Claude Desktop, Cursor, or other MCP clients.
What MCP security actually requires:
- Treating every server as potential malware
- Implementing application-level sandboxing
- Auditing every tool description for hidden instructions
- Zero-trust model for all MCP interactions
- Treating every server as potential malware
- Implementing application-level sandboxing
- Auditing every tool description for hidden instructions
- Zero-trust model for all MCP interactions
June 1, 2025 at 6:08 PM
What MCP security actually requires:
- Treating every server as potential malware
- Implementing application-level sandboxing
- Auditing every tool description for hidden instructions
- Zero-trust model for all MCP interactions
- Treating every server as potential malware
- Implementing application-level sandboxing
- Auditing every tool description for hidden instructions
- Zero-trust model for all MCP interactions
Myth 3: "Trusted sources guarantee safety"
Even legitimate packages can be compromised through:
- Supply chain attacks
- Typosquatting
- Dependency confusion
Even legitimate packages can be compromised through:
- Supply chain attacks
- Typosquatting
- Dependency confusion
June 1, 2025 at 6:07 PM
Myth 3: "Trusted sources guarantee safety"
Even legitimate packages can be compromised through:
- Supply chain attacks
- Typosquatting
- Dependency confusion
Even legitimate packages can be compromised through:
- Supply chain attacks
- Typosquatting
- Dependency confusion
Myth 2: "Human oversight prevents attacks"
Here's why this is a faulty belief:
- Hidden Unicode instructions bypass visual inspection
- Users lack expertise to spot malicious command modifications
- Consent fatigue leads to automatic approval
Here's why this is a faulty belief:
- Hidden Unicode instructions bypass visual inspection
- Users lack expertise to spot malicious command modifications
- Consent fatigue leads to automatic approval
June 1, 2025 at 6:07 PM
Myth 2: "Human oversight prevents attacks"
Here's why this is a faulty belief:
- Hidden Unicode instructions bypass visual inspection
- Users lack expertise to spot malicious command modifications
- Consent fatigue leads to automatic approval
Here's why this is a faulty belief:
- Hidden Unicode instructions bypass visual inspection
- Users lack expertise to spot malicious command modifications
- Consent fatigue leads to automatic approval
Here are 3 myths about MCP you need to immediately stop believing:
Myth 1: "MCP servers are just APIs"
Unlike REST APIs, stdio MCP servers execute on your local machine with full system permissions. They're not services - they're programs running alongside your AI assistant.
Myth 1: "MCP servers are just APIs"
Unlike REST APIs, stdio MCP servers execute on your local machine with full system permissions. They're not services - they're programs running alongside your AI assistant.
June 1, 2025 at 6:07 PM
Here are 3 myths about MCP you need to immediately stop believing:
Myth 1: "MCP servers are just APIs"
Unlike REST APIs, stdio MCP servers execute on your local machine with full system permissions. They're not services - they're programs running alongside your AI assistant.
Myth 1: "MCP servers are just APIs"
Unlike REST APIs, stdio MCP servers execute on your local machine with full system permissions. They're not services - they're programs running alongside your AI assistant.
You've just told Claude to download and execute arbitrary code with your full user permissions.
June 1, 2025 at 6:06 PM
You've just told Claude to download and execute arbitrary code with your full user permissions.
Most MCP servers use stdio mode, which means the server runs locally on your machine, not remotely.
Here's what happens when you add this to your Claude Desktop config:
{
"𝚖𝚌𝚙𝚂𝚎𝚛𝚟𝚎𝚛𝚜": {
"𝚜𝚘𝚖𝚎-𝚝𝚘𝚘𝚕": {
"𝚌𝚘𝚖𝚖𝚊𝚗𝚍": "𝚗𝚙𝚡",
"𝚊𝚛𝚐𝚜": ["-𝚢", "@𝚜𝚘𝚖𝚎-𝚘𝚛𝚐/𝚖𝚌𝚙-𝚜𝚎𝚛𝚟𝚎𝚛-𝚝𝚘𝚘𝚕"]
}
}
}
Here's what happens when you add this to your Claude Desktop config:
{
"𝚖𝚌𝚙𝚂𝚎𝚛𝚟𝚎𝚛𝚜": {
"𝚜𝚘𝚖𝚎-𝚝𝚘𝚘𝚕": {
"𝚌𝚘𝚖𝚖𝚊𝚗𝚍": "𝚗𝚙𝚡",
"𝚊𝚛𝚐𝚜": ["-𝚢", "@𝚜𝚘𝚖𝚎-𝚘𝚛𝚐/𝚖𝚌𝚙-𝚜𝚎𝚛𝚟𝚎𝚛-𝚝𝚘𝚘𝚕"]
}
}
}
June 1, 2025 at 6:06 PM
Most MCP servers use stdio mode, which means the server runs locally on your machine, not remotely.
Here's what happens when you add this to your Claude Desktop config:
{
"𝚖𝚌𝚙𝚂𝚎𝚛𝚟𝚎𝚛𝚜": {
"𝚜𝚘𝚖𝚎-𝚝𝚘𝚘𝚕": {
"𝚌𝚘𝚖𝚖𝚊𝚗𝚍": "𝚗𝚙𝚡",
"𝚊𝚛𝚐𝚜": ["-𝚢", "@𝚜𝚘𝚖𝚎-𝚘𝚛𝚐/𝚖𝚌𝚙-𝚜𝚎𝚛𝚟𝚎𝚛-𝚝𝚘𝚘𝚕"]
}
}
}
Here's what happens when you add this to your Claude Desktop config:
{
"𝚖𝚌𝚙𝚂𝚎𝚛𝚟𝚎𝚛𝚜": {
"𝚜𝚘𝚖𝚎-𝚝𝚘𝚘𝚕": {
"𝚌𝚘𝚖𝚖𝚊𝚗𝚍": "𝚗𝚙𝚡",
"𝚊𝚛𝚐𝚜": ["-𝚢", "@𝚜𝚘𝚖𝚎-𝚘𝚛𝚐/𝚖𝚌𝚙-𝚜𝚎𝚛𝚟𝚎𝚛-𝚝𝚘𝚘𝚕"]
}
}
}
Just published Part 3: MCP Integration: bit.ly/43GFHyB
May 22, 2025 at 9:48 PM
Just published Part 3: MCP Integration: bit.ly/43GFHyB
Just published Part 3: MCP Integration: bit.ly/43GFHyB
May 22, 2025 at 9:48 PM
Just published Part 3: MCP Integration: bit.ly/43GFHyB