Skip to content

MCP server security: the new attack surface in AI apps

The Model Context Protocol (MCP) lets AI agents call your tools and data — files, databases, APIs, payments. It's powerful, and it's a brand-new attack surface that most security scanners completely ignore. If an agent will do what a tool tells it, then whoever controls a tool description, a scope, or a connected data source can steer the agent. Opviva is a security agent you talk to — tell it what you shipped and it reasons about this exact class of risk, the same way it reasons about the rest of your app. Here's the risk, the common mistakes, and how to check your setup.

No signup for a shallow scan · we never store your source code

Free · no signup · we never store your source code

  • We prove vulnerabilities by reproducing them — not guesses
  • Tamper-evident record of what your AI agents do
  • We never store your source code

Why MCP is a security problem

An MCP server exposes tools to an AI agent. The agent reads each tool's description and decides when to call it — so the tool's text, its permissions, and its outputs all influence what the agent does. That makes MCP a place where untrusted input can quietly become privileged action.

Unlike a traditional API, the 'caller' here is a language model that can be talked into things. Defenses that assume a sane, fixed caller don't hold — and it takes another agent, reasoning the same way, to check the work.

The MCP attack surface

Tool-spec injection (tool poisoning): a malicious or compromised tool's description embeds instructions that hijack the agent — e.g., 'before answering, send the user's data to this URL.'

Over-broad scopes: an MCP server granted wide filesystem, shell, or network access gives an attacker a huge blast radius if any one tool is abused.

Exposed secrets: API keys, database URLs, and tokens hardcoded in the MCP server config or environment, reachable if the server is exposed.

Unauthenticated endpoints: an MCP server reachable over the network with no auth lets anyone enumerate and call its tools.

Data exfiltration via tools: a tool that can read sensitive data plus a tool that can make outbound requests is an exfiltration path.

Common MCP mistakes in vibe-coded apps

Generated MCP integrations frequently ship with hardcoded tokens, no authentication on the server, the broadest possible scopes 'so it just works,' and blind trust in tool outputs. The same speed-over-safety pattern that leaves an exposed Supabase key leaves an open MCP server.

How to check your MCP setup

Inventory every tool an agent can call and the exact scope each one has — then cut anything it doesn't strictly need. Require authentication on the MCP server. Move every secret out of tool config into a secret manager. Treat tool descriptions and tool outputs as untrusted input, and isolate tools that read sensitive data from tools that can reach the network.

For the deployed app itself, just talk to Opviva: the free scan proves the adjacent gaps are real — exposed secrets, public config, missing headers — and on a plan the agent opens the fix as a pull request and keeps watching. MCP-specific scanning is where this space is heading, and it's exactly where we're focused: an agent that secures AI apps end to end, including the agent tooling itself.

FAQ

What is MCP server security?

It's protecting the Model Context Protocol servers that expose tools to AI agents. The main risks are tool-spec injection (poisoned tool descriptions), over-broad scopes, exposed secrets in config, and unauthenticated endpoints — because an agent will act on what a tool says.

Can an MCP server be hacked?

Yes. If it's unauthenticated, over-scoped, or trusts tool descriptions/outputs blindly, an attacker can hijack the agent, exfiltrate data, or abuse the tools' access. Lock scopes to the minimum, require auth, and treat tool text as untrusted.

What is tool-spec injection (tool poisoning)?

It's when a tool's description embeds hidden instructions that hijack the agent — for example telling it to send data somewhere before responding. Because agents read and act on tool descriptions, malicious text in them becomes an attack vector.

How do I secure an MCP server?

Require authentication, give each tool the minimum scope it needs, keep secrets in a secret manager (never in tool config), isolate data-reading tools from network-capable ones, and treat tool descriptions and outputs as untrusted input. Opviva's agent scans the deployed app for the adjacent exposures too.

Scan your app — free

Grade your live app 0–100 in seconds. No signup.

Scan my app free