The Elephant in the MCP Room
Let me be blunt: the MCP specification has no authentication. Zero. None. Every MCP server you install runs with your full user privileges. It can read your SSH keys, your AWS credentials, your browser cookies, and your entire home directory. The spec says nothing about preventing this.
And the community response? "Just install servers you trust." That is not a security model. That is a prayer.
How MCP Authentication Actually Works (It Does Not)
Here is what happens when you run claude mcp add some-server -- npx @some/mcp:
- npm downloads the package (latest version, unpinned by default)
- The MCP server process starts with YOUR user privileges
- The server registers tools with any descriptions
- Your AI agent can now call those tools with zero permission checks
- Each tool call executes with full access to your filesystem, network, and environment
There is no sandboxing. No capability tokens. No permission prompts for file access outside the project directory. The entire security model relies on you having personally audited the source code of every MCP server you install.
The Trust-Me-Bro Stack
| Ecosystem | Permission Model | Sandboxing |
|---|---|---|
| Chrome Extensions | Manifest permissions, user approval | Process isolation |
| iOS Apps | Entitlements, runtime prompts | App Sandbox |
| VS Code Extensions | Activation events, restricted APIs | Extension Host process |
| MCP Servers | None | None |
MCP has the security model of a 1990s Windows DLL. Run anything, access everything, hope for the best.
What You Can Do Today
The MCP spec will not fix itself overnight. Here is what works now:
- Audit before install - Run
scan_mcp_configafter every new MCP server install. Check tool descriptions for prompt injection patterns. Zfuzz detects 100+ patterns. - Pin versions - Use
npx @zfuzz/mcp@1.0.0instead ofnpx @zfuzz/mcp. A compromised publish at 2 AM should not auto-deploy to your machine. - Minimize env vars - Do not pass API keys to MCP servers that do not need them. Every env var you share is a credential that server can read.
- Use runtime guards - Agent Guard hooks block dangerous operations even if a tool is compromised. Shell injection, SSRF, and path traversal are caught at execution time.
- Check the source - GitHub stars, maintainer identity, npm download count. A 3-star MCP server from a week-old account is a red flag.
What the Spec Needs
The MCP specification should add: capability-based permissions (tools declare what they access), user consent flows (the agent asks before granting file/network access), and process sandboxing (MCP servers run in a restricted environment). Until then, every MCP install is a leap of faith.
Start Auditing
claude mcp add zfuzz -- npx @zfuzz/mcp



