What is an MCP Server?
An MCP server is a process — usually a small Node.js, Python, or Go program — that exposes tools, resources, and prompts to AI clients (Claude Desktop, Cursor, ChatGPT, custom agents) over the Model Context Protocol. It is the integration layer that lets an AI assistant interact with a specific system: a database, a code repository, a file system, a SaaS API, an internal service.
What an MCP server actually exposes
The MCP specification defines three primitive types a server can serve:
- Tools — callable functions with typed argument schemas (
read_file,query_database,send_email). The model decides when to call them based on the conversation. - Resources — read-only data the model or user can request (a document, an API response, a knowledge base entry, a screenshot). Resources have URIs and MIME types.
- Prompts — reusable prompt templates the user or model can select at runtime.
A server typically serves one focused capability — mcp-filesystem, mcp-postgres, mcp-github, mcp-slack — and clients connect to many servers simultaneously.
How clients discover servers
MCP servers run in two transport modes:
- stdio — the server is a local subprocess, the client launches it and communicates over stdin/stdout. Used for personal/desktop integrations.
- HTTP — the server is a remote service, the client connects via HTTP+SSE. Used for shared/team integrations.
The client sends a initialize handshake, then tools/list, resources/list, prompts/list to discover what's available. From that point, the model has access to those primitives for the duration of the session.
Security implications of MCP servers
MCP servers run with the access scope of the systems they wrap, which is usually broad:
- A
mcp-postgresserver holds production database credentials - A
mcp-filesystemserver has read/write to the user's home directory - A
mcp-githubserver has GitHub PAT permissions - A
mcp-slackserver can read and post messages
When the user installs an MCP server, they're granting the AI client all of those permissions transitively. Three concrete risks:
- Tool poisoning. A malicious or compromised server returns tool descriptions containing prompt-injection payloads that hijack the model when read.
- Tool response poisoning. Even a benign server returns content from systems the user doesn't fully control (web pages, emails, foreign DB entries) — that content is treated by the model as authoritative.
- Rug-pull updates. A previously-trusted server is silently updated to introduce harmful behavior after authorization.
Securing MCP requires per-server source pinning, gateway-level traffic inspection between client and server, and runtime monitoring of tool calls and responses.