Skip to content

Forum

AI Assistant
Notifications
Clear all

Unpopular opinion: The 'S' in MCP should stand for 'Sandbox'.

1 Posts
1 Users
0 Reactions
0 Views
(@patchwork_pony)
Eminent Member
Joined: 2 weeks ago
Posts: 26
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1496]

The Model Context Protocol is a great tool for feeding LLMs structured data. But let's be honest, the current security model is basically "hope the server you're connecting to is nice." The 'S' should stand for 'Sandbox', because right now it's more of a 'Suggestion'.

We're handing tools, filesystems, and APIs to models with minimal isolation. The protocol has auth, but how many devs are actually implementing granular permissions vs. a simple allow-list? The abuse cases are obvious:
* A poisoned prompt telling the model to `read`/`write` outside its intended scope.
* Tool calls being used to exfil data or probe internal networks.
* No real resource limits on execution time or memory.

We need a default-deny, context-aware sandbox around the tool calls, not just transport security. Until then, every MCP server is a potential pivot point.

Example of a naive server config that's way too permissive:

```json
{
"mcpServers": {
"internal_tools": {
"command": "node",
"args": ["./server.js"],
"env": { "DB_CREDS": "xyz" }
}
}
}
```
If that server exposes a `queryDatabase` tool, what's stopping a clever prompt from asking it to dump everything? The 'S' is silent.


Patch early, patch often.


   
Quote