What is the Model Context Protocol (MCP)?

MCP is an open standard from Anthropic that lets AI assistants connect to external tools and data sources through a uniform server-client interface. Published in November 2024, it has rapidly become the default protocol for plugging tools into agentic AI applications, with adoption from Anthropic, OpenAI, Microsoft, Google, and most major agent frameworks.

How MCP works

An MCP server is a small program — usually a Node.js, Python, or Go process — that exposes three primitive types over a standardized JSON-RPC interface:

• Tools — callable functions the model can invoke (e.g. read_file, query_database, send_email)
• Resources — read-only data the model can retrieve (documents, API responses, knowledge base entries)
• Prompts — reusable prompt templates the user or model can select

An MCP client is the AI application itself: Claude Desktop, ChatGPT, Cursor, or a custom agent. The client connects to one or more servers (over stdio for local servers or HTTP for remote ones), discovers what each server offers, and routes the model's tool invocations back and forth.

The wire format is standardized, so any MCP-compatible client can connect to any MCP-compatible server without per-integration glue code. That's the protocol's central value: the N×M integration matrix collapses to N+M.

Why MCP matters

Before MCP, every AI application built its own tool-integration system. Adding a new tool meant writing custom adapters, custom argument schemas, and custom result-parsing logic — for every client that wanted to use it. MCP standardizes the contract, so a single filesystem server works in Claude Desktop, Cursor, and a dozen other clients without modification.

Why MCP is a security concern

MCP servers run as privileged software with the access scope of the systems they wrap. A database MCP server typically holds production database credentials. A filesystem server has read/write access to the user's home directory.

Three attack patterns are documented:

• Tool poisoning — an MCP server returns tool descriptions containing prompt-injection payloads that hijack the model when it reads them. Repello's research showed this can lead to remote code execution.
• Rug-pull updates — an initially-safe MCP server is updated by a malicious maintainer to introduce harmful behavior after the user has already authorized it.
• Indirect injection via tool responses — when a tool's output (e.g. the contents of a fetched web page) contains adversarial instructions, the model treats them as part of the conversation and may act on them.

Securing MCP requires per-tool policies, runtime monitoring of tool arguments and responses, and gateway-level controls between the client and server.

See also

The MCP specification is maintained at modelcontextprotocol.io. For the threat model and concrete defenses, see Repello's long-form coverage below.