Skip to main content
Wentzel.ai
← All posts
AI & TechnologyCybersecurityAgentic AI

The USB-C for AI Has a Security Leak: How to Tame Exposed MCP Servers

By Ryan Wentzel5 min read

The Model Context Protocol has been called the "USB-C for AI" — a standard connector that lets any agent talk to any tool. The analogy is apt in a way its boosters may not intend: USB-C is convenient precisely because it removes friction, and removing friction is exactly how malicious devices get plugged into things they should not touch.

What an MCP Server Actually Exposes

An MCP server hands an AI agent a set of capabilities — read files, query databases, call APIs, execute commands. That is the point. But each capability is also an attack surface, and many MCP servers are deployed with:

  • No authentication. Anyone who can reach the endpoint can invoke its tools.
  • Over-broad scope. The server exposes far more capability than any single agent needs.
  • No audit trail. Tool calls happen with no record of who invoked what, when, or why.
  • No egress control. A compromised tool can exfiltrate freely.

The Prompt-Injection Multiplier

MCP turns a classic AI weakness into a systemic one. Prompt injection — malicious instructions smuggled into content the model reads — has always been a concern. When the model can act through MCP tools, an injected instruction is no longer just bad text; it is a command the agent can execute against your real systems. The blast radius of a successful injection is now the full set of tools the MCP server exposes.

Taming It

The controls are not exotic; they are the same least-privilege principles that govern any privileged interface:

  1. Authenticate every connection and identify the calling agent.
  2. Scope tools to roles. An agent gets only the tools its task requires, deny-by-default.
  3. Broker credentials. The agent never holds raw keys; the gateway mints short-lived, scoped tokens.
  4. Sandbox execution and filter egress so a compromised tool cannot reach beyond its mandate.
  5. Record every call — including every denial — in a tamper-evident log.

The Read

A universal connector is a force multiplier in both directions. MCP makes agents dramatically more useful and dramatically more dangerous at the same time. The organizations that benefit from it without getting burned are the ones that treat every MCP server as a privileged interface, not a convenience — and govern it accordingly.

The USB-C for AI Has a Security Leak: How to Tame Exposed MCP Servers — Wentzel.ai