来源：https://dev.to/rapls/connecting-an-mcp-server-gives-your-agent-hands-it-also-gives-a-stranger-a-way-in-3mgi

The moment you connect an MCP server, your coding agent stops being a thing that reads and writes in your repo and becomes a thing that can reach out and act. Read a database, hit an API, touch a service, pull in a web page. That's the entire appeal. It's also the entire problem.

I went through this wiring up tools for my own plugin work, and the thing that saved me from a worse mistake was a scar I already had. I'd shipped an AI chatbot earlier where I rendered the model's output straight to the page and ate an HTML injection bug. That one taught me a rule the hard way: anything an LLM hands back is untrusted input. MCP is that same lesson with the blast radius turned up.

When people talk about agent safety, they almost always mean: what if the agent runs something destructive. Deletes files, force-pushes, curls something it shouldn't. But it's only half the threat. The other half is quieter: what if the agent believes something it shouldn't. An MCP server returns an API response, a database row, an issue body, an email thread, and somewhere in that returned content is a line that reads like an instruction. The model has no reliable way to tell your instruction from text that arrived inside data.

Whatever an MCP server returns is in exactly the same trust category as a string a stranger typed into a form on your site. Not "data from my tool." Data from outside, that happens to arrive through my tool.

The other half, the destructive-command fear, does have a settings answer. In Claude Code that's the sandbox: turn it on and Bash execution gets isolated at the OS level. Here's the part that surprised me: the sandbox restricts writes to your working directory, but by default it still allows reads across most of the machine. Which means credentials like ~/.aws/credentials and ~/.ssh/ are readable unless you say otherwise.

The server itself is attack surface. A connected MCP server you didn't vet is code running in your loop with a channel into your agent. So three habits: Vet the source before you connect it. Drop the ones you're not using. If a CLI already does the job, don't stand up a server at all.

Before I wire up any MCP server, three questions: Do I trust where this server came from. What's the worst command it could talk my agent into, and is that command walled off by deny rules. Is the output going to get treated as untrusted input everywhere it lands.

Connecting a server is genuinely the moment your agent grows hands. Worth remembering that hands can be guided by whoever's holding the other end of the tool.

（此帖无评论）