Thanks for the post, it describes the problems of MCP and agents really well. Personally, I don't quite understand why people are so excited by this, knowing that there are such issues with working with agents and MCP — not only usability issues but the security ones.
I think that the problem you describe in "MCP assumes tools are assistant agnostic and handle retrieval" practically renders AI agents useless for now. On one hand, we say that LLMs give us the universal interface, where we can tell the agent in plain human language what needs to be done. On the other hand, you say that we need to tailor prompts both to the MCP tools in use and to the LLM, which basically means that I need to learn from scratch how to operate the agent. I already know how to operate the browser and post on a LInkedIn. What benefit do I get from learning another tool that does the same?
Ironically, as the author writing about everything wrong with it, I'm pretty excited about this. Not what exists now but what I expect to be able to do as the standard, applications, and models mature.
> practically renders AI agents useless for now...What benefit do I get from learning another tool that does the same
In terms of my own uses cases, I'm often approaching it from the mindset of not "here's all the reasons it can't do xyz like me" and more so "how can I change my workflow to make it stable enough for an LLM to do it instead so I can do other things". I think that's also huge "catch" to all the AI hype which makes it seems like AI is going to do all these magical things out of the box. It doesn't and yet AI writes most of my code nowadays (at work!) and automates a lot of the other less interesting day to day things. I can just do a lot more in less time and I expect this to only expand over time -- that's pretty exciting to me.
Thanks for writing this, Shrivu! I have been exploring MCP recently and am aware of some of the risks with using MCP servers but I learned many more from your article. You mentioned you use "an assistant connected to an MCP server literally every day". Curious, which MCP server is that?
Thanks! It's all custom ones which allow me to plugin specialized tools into existing apps like Cursor and Claude Desktop.
We'll have a post soon (~2 weeks) on my work eng blog going through how it works and what specifically we do with our internal MCP server: https://abnormalsecurity.com/blog
I considered discussing how HTTP, REST/JSON, and GraphQL also lack built-in security, but you went beyond just the basics.
IMHO, the risk is comparable to adding an IDE plugin or an code dependency (npm, maven..etc). Personally, I believe an proofed MCP ecosystem is lacking.
Thanks for the post, it describes the problems of MCP and agents really well. Personally, I don't quite understand why people are so excited by this, knowing that there are such issues with working with agents and MCP — not only usability issues but the security ones.
I think that the problem you describe in "MCP assumes tools are assistant agnostic and handle retrieval" practically renders AI agents useless for now. On one hand, we say that LLMs give us the universal interface, where we can tell the agent in plain human language what needs to be done. On the other hand, you say that we need to tailor prompts both to the MCP tools in use and to the LLM, which basically means that I need to learn from scratch how to operate the agent. I already know how to operate the browser and post on a LInkedIn. What benefit do I get from learning another tool that does the same?
Ironically, as the author writing about everything wrong with it, I'm pretty excited about this. Not what exists now but what I expect to be able to do as the standard, applications, and models mature.
> practically renders AI agents useless for now...What benefit do I get from learning another tool that does the same
In terms of my own uses cases, I'm often approaching it from the mindset of not "here's all the reasons it can't do xyz like me" and more so "how can I change my workflow to make it stable enough for an LLM to do it instead so I can do other things". I think that's also huge "catch" to all the AI hype which makes it seems like AI is going to do all these magical things out of the box. It doesn't and yet AI writes most of my code nowadays (at work!) and automates a lot of the other less interesting day to day things. I can just do a lot more in less time and I expect this to only expand over time -- that's pretty exciting to me.
its true that MCP is not great. similarly, HTTP was worse more at begin, but ruled the web.
Thanks for writing this, Shrivu! I have been exploring MCP recently and am aware of some of the risks with using MCP servers but I learned many more from your article. You mentioned you use "an assistant connected to an MCP server literally every day". Curious, which MCP server is that?
Thanks! It's all custom ones which allow me to plugin specialized tools into existing apps like Cursor and Claude Desktop.
We'll have a post soon (~2 weeks) on my work eng blog going through how it works and what specifically we do with our internal MCP server: https://abnormalsecurity.com/blog
Ah got it. Will keep an eye out for it!
Great post!
> I think Google’s new Agent2Agent protocol might solve a lot of these but that’s for a separate post.
Looking forward to this! 😊
MCP is still in its early stages of development, and I believe it will be a breakthrough point in the field of AI.
When I see MCP I see Trons MCP
Excellent article.
I considered discussing how HTTP, REST/JSON, and GraphQL also lack built-in security, but you went beyond just the basics.
IMHO, the risk is comparable to adding an IDE plugin or an code dependency (npm, maven..etc). Personally, I believe an proofed MCP ecosystem is lacking.