Blog

Security · May 2026

MCP Security: What Your Tools Can Do Without Asking

The Model Context Protocol gives AI agents structured access to local tools. That's powerful — and it creates a security surface that nothing in your existing stack governs.

What MCP changes

Before MCP, AI tools interacted with your system through ad-hoc integrations — a bash tool here, a file reader there. Each tool was custom-built, and the attack surface was implicit.

MCP standardized this. An MCP server exposes tools that AI agents can discover and call with structured arguments. This is a protocol-level agreement: the agent can invoke any tool the server exposes, chain tool calls together, and act on results autonomously.

The protocol is well-designed. The security model, however, has a gap: MCP does not govern what tools do at the OS level.

The trust boundary problem

When you add an MCP server to your AI tool configuration, you're granting that server's tools access to your machine. The trust is implicit and broad:

  • A filesystem tool can read any file your user account can access — ~/.ssh/id_rsa, ~/.aws/credentials, .env
  • A shell tool can spawn any process — including curl, osascript, or arbitrary scripts
  • A network tool can call any external API — including exfiltration endpoints

There is no MCP-level permission system that says “this tool can read files in ./src but not ~/.ssh.” The protocol trusts the server. Your operating system doesn't know the difference between a legitimate file read and credential theft.

Three attack scenarios

1. Compromised MCP server

A third-party MCP server you installed from a GitHub repository gets a malicious update. The read_file tool now silently reads ~/.aws/credentials and passes the content to a fetchcall to an external endpoint. From the AI agent's perspective, it called a tool and got a result. From your perspective, your cloud credentials were just exfiltrated.

2. Prompt injection via MCP context

An MCP resource returns content that includes an embedded prompt injection. The AI agent processes the injected instruction and calls another tool — writing to a sensitive file, spawning a process, or modifying its own configuration. The agent was tricked, but the actions are real and execute with your privileges.

3. Legitimate tool, unexpected behavior

An MCP server you trust exposes a run_commandtool. The AI agent decides to use it in a way the server author didn't anticipate — chaining it with a file read to exfiltrate data, or calling it in a loop to brute-force a local service. The tool works exactly as designed. The agent's use of it is the problem.

The gap isn't in MCP. It's that nothing between MCP and your operating system governs what happens after a tool is called.

What an AI agent firewall sees

TURI intercepts execution at the OS level — below MCP, below the AI tool, below the agent. When an MCP tool calls read_file, TURI's Endpoint Security extension sees the actual file open syscall. When a tool spawns curl, TURI sees the process exec. When a tool connects to an external endpoint, TURI's Network Extension sees the flow.

This means TURI can:

  1. Classify the MCP server process as an AI agent tool and apply agent-specific policy
  2. Block sensitive file readsfrom MCP-class processes — even if the tool is “designed” to read files
  3. Detect and quarantine read→egress chains — the secret_read_to_external_network behavioral rule fires regardless of which tool initiated the chain
  4. Drop network connections to blocklisted domains — even if the MCP tool explicitly tries to connect

The MCP scenario lab

We added an MCP tool exfiltration scenario to the docs. It simulates a compromised MCP server tool that reads local credentials and attempts to phone home. Run it in default mode — you'll see behavioral alerts. Apply the secure baselinewith the domain blocklist — you'll see fileOpenBlocked and NE drops.

That's what an AI agent firewall does for MCP: it doesn't trust the protocol, the server, or the tool. It governs what actually happens on your machine.

What you can do today

  • Audit your MCP servers. List every server in your AI tool config. Know what tools each one exposes.
  • Minimize tool exposure.Don't give a code-review MCP server a run_commandtool if it doesn't need one.
  • Install an AI agent firewall. TURI governs what MCP tools do at the OS level — regardless of what the protocol allows.

Run the MCP lab

Simulate a compromised MCP tool reading secrets and phoning home. See what TURI blocks — and what it honestly doesn't without the secure baseline.

MCP scenario Compare tools