Checked GitHub MCP — added for code reading. Also had delete_repository. Slack MCP — wanted search. Got remove_user and delete_channel.
There's no way to say "give the agent query but not drop_table." I checked Claude, Cursor, ChatGPT — all-or-nothing everywhere.
The numbers are bad: 1,808 MCP servers scanned — 66% had security findings. 30 CVEs in 60 days. 76 published skills contained malware. 5 of top 7 most-downloaded skills were malware.
We're giving agents system-level access without a permission model. This feels like early cloud days before IAM.
We built per-tool permissions into our gateway at Aerostack — each tool gets a toggle, destructive ops blocked by default, enforced at the proxy layer.
Full writeup: https://aerostack.dev/blog/your-ai-agent-has-root-access
Curious how others are handling MCP security today.
0 comments