MCP Security Risks: Prompt Injection, Tool Poisoning, and Permissions
A technical guide to MCP security risks and practical controls for prompt injection, tool poisoning, permissions, and auditability.
MCP Security Risks: Prompt Injection, Tool Poisoning, and Permissions
MCP makes AI tools more capable by connecting them to external systems. That same capability means teams need to think carefully about security boundaries.
Key MCP risks
- Prompt injection from documents, web pages, tickets, or messages.
- Tool poisoning through misleading tool descriptions or compromised servers.
- Overbroad permissions that expose unnecessary systems.
- Unsafe write actions without approval.
- Weak logging that makes incidents hard to investigate.
Controls to apply
Use trusted MCP servers, scope credentials tightly, separate read and write tools, require approval for sensitive actions, and log every tool call. Treat external content as untrusted, especially when it can influence an agent that has internal access.
MCP security is not about avoiding tools. It is about making tool use explicit, bounded, and reviewable.
More from the blog
Agentic Commerce Explained: How AI Agents Will Shop Online
A practical explanation of agentic commerce, how AI agents may search, compare, and buy online, and what businesses should prepare for.
AI Agent Governance: A Practical Checklist for Companies
A company checklist for governing AI agents with policies, access controls, approval flows, monitoring, and accountability.
AI Agent Memory Explained: Types, Tools, and Use Cases
A practical explanation of AI agent memory, including short-term memory, long-term memory, vector stores, profiles, and workflow context.