Everything Wrong with MCP
a year ago
- #LLM
- #MCP
- #Security
- Model Context Protocol (MCP) is a standard for integrating third-party data and tools with LLM-powered chats and agents.
- MCP allows third-party tools to build plugins for assistants like Claude, ChatGPT, and Cursor, enabling BYOT (Bring Your Own Tools).
- MCP streamlines context provision and agent autonomy, allowing actions like posting on LinkedIn or debugging in Cursor.
- Comparisons with other standards: ChatGPT Plugins (similar but poorly executed), Tool-Calling (similar but MCP includes networking aspects), Alexa/Google Assistant SDKs (more complex, assistant-specific), and SOAP/REST/GraphQL (lower level).
- Problem 1: Protocol Security - Issues include lack of defined auth spec, running malicious code locally, and servers trusting inputs.
- Problem 2: UI/UX Limitations - No controls for tool-risk levels or costs, and unstructured text transmission can lead to issues like accidental deletions or high costs.
- Problem 3: LLM Security - MCP can enable prompt injections, expose sensitive data, and break traditional data access control models.
- Problem 5: LLM Limitations - MCP relies on reliable LLM-based assistants, but tool-use is hard, and performance degrades with more tools.
- MCP assumes tools are assistant-agnostic and handle retrieval, but users often expect more complex functionalities than provided.
- Conclusions: MCP is necessary but combining LLMs with data is risky. Solutions require secure protocols, user education, and application safeguards.