Everything wrong with MCP

Coordinator of the authorization RFC linked in this post[1].<p>The protocol is in very, very early stages and there are a lot of things that still need to be figured out. That being said, I can commend Anthropic on being very open to listening to the community and acting on the feedback. The authorization spec RFC, for example, is a coordinated effort between security experts at Microsoft (my employer), Arcade, Hellō, Auth0&#x2F;Okta, Stytch, Descope, and quite a few others. The folks at Anthropic set the foundation and welcomed others to help build on it. It will mature and get better.<p>[1]: <a href="https:&#x2F;&#x2F;github.com&#x2F;modelcontextprotocol&#x2F;modelcontextprotocol&#x2F;pull&#x2F;284">https:&#x2F;&#x2F;github.com&#x2F;modelcontextprotocol&#x2F;modelcontextprotocol...</a>

The author makes good general points but seems to be overloading MCP&#x27;s responsibilities imo. My understanding of MCP is that it just provides a ready-made &quot;doorway&quot; for LLMs to enter and interact with externally managed resources. It&#x27;s a bridge or gateway. So is it really MCP&#x27;s fault that it:<p>&gt;makes it easier to accidentally expose sensitive data.<p>So does the &quot;forward&quot; button on emails. Maybe be more careful about how your system handles sensitive data. How about:<p>&gt;MCP allows for more powerful prompt injections.<p>This just touches on wider topic of only working with trusted service providers that developers should abide by generally. As for:<p>&gt;MCP has no concept or controls for costs.<p>Rate limit and monitor your own usage. You should anyway. It&#x27;s not the road&#x27;s job to make you follow the speed limit.<p>Finally, many of the other issues seem to be more about coming to terms with delegating to AI agents generally. In any case it&#x27;s the developer&#x27;s responsibility to manage all these problems within the boundaries they control. No API should have that many responsibilities.

MCP is just a transport + wire format with request&#x2F;response lifecycle and most importantly: tool-level authorization.<p>The essay misses the biggest problem with MCP:<p><pre><code> 1. it does not enable AI agents to functionally compose tools. 2. MCP should not exist in the first place. </code></pre> LLMs already know how to talk to every API that documents itself with OpenAPI specs, but the missing piece is authorization. Why not just let the AI make HTTP requests but apply authorization to endpoints? And indeed, people are wrapping existing APIs with thin MCP tools.<p>Personally, the most annoying part of MCP is the lack of support for streaming tool call results. Tool calls have a single request&#x2F;response pair, which means long-running tool calls can&#x27;t emit data as it becomes available – the client has to repeat a tool call multiple times to paginate. IMO, MCP could have used gRPC which is designed for streaming. Need an onComplete trigger.<p>I&#x27;m the author of Modex[^1], a Clojure MCP library, which is used by Datomic MCP[^2].<p>[^1]: Modex: Clojure MCP Library – <a href="https:&#x2F;&#x2F;github.com&#x2F;theronic&#x2F;modex">https:&#x2F;&#x2F;github.com&#x2F;theronic&#x2F;modex</a><p>[^2]: Datomic MCP: Datomic MCP Server – <a href="https:&#x2F;&#x2F;github.com&#x2F;theronic&#x2F;datomic-mcp&#x2F;">https:&#x2F;&#x2F;github.com&#x2F;theronic&#x2F;datomic-mcp&#x2F;</a>

This article reads less like a criticism of MCP, the internal technical details of which I don&#x27;t know that much about, and they make the subject of but a part of the srticle, but a general criticism of the general aspect of &quot;protocol to allow LLM to run actions on services&quot;<p>A large problem in this article stems from the fact that the LLM may take actions I do not want it to take. But there are clearly 2 types of actions the LLM can take: those I want it to take on it&#x27;s own, and those I want it to take only after prompting me.<p>There may come a time when I want the LLM to run a business for me, but that time is not yet upon us. For now I do not even want to send an e-mail generated by AI without vetting it first.<p>But the author rejects the solution of simply prompting the user because &quot;it’s easy to see why a user might fall into a pattern of auto-confirmation (or ‘YOLO-mode’) when most of their tools are harmless&quot;.<p>Sure, and people spend more on cards than they do with cash and more on credit cards than they do on debit cards.<p>But this is a psychological problem, not a technological one!

I have read 30 MCP articles now and I still don’t understand why we not just use API?

One of the biggest issues I see, briefly discussed here, is how one MCP server tool&#x27;s output can affect other tools later in the same message thread. To prevent this, there really needs to be sandboxing between tools. Invariant labs did this with tool descriptions [1], but I also achieved the same via MCP resource attachments[2]. It&#x27;s a pretty major flaw exacerbated by the type of privilege and systems people are giving MCP servers access to.<p>This isn&#x27;t necessarily the fault of the spec itself, but how most clients have implemented it allows for some pretty major prompt injections.<p>[1] <a href="https:&#x2F;&#x2F;invariantlabs.ai&#x2F;blog&#x2F;mcp-security-notification-tool-poisoning-attacks" rel="nofollow">https:&#x2F;&#x2F;invariantlabs.ai&#x2F;blog&#x2F;mcp-security-notification-tool...</a> [2] <a href="https:&#x2F;&#x2F;www.bernardiq.com&#x2F;blog&#x2F;resource-poisoning&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bernardiq.com&#x2F;blog&#x2F;resource-poisoning&#x2F;</a>

&gt; MCP servers can run (malicious code) locally.<p>I wrote an MCP Server (called Codebox[1]) which starts a Docker container with your project code mounted. It works quite well, and I&#x27;ve been using it with LibreChat and vscode. In my experience, Agents save 2x the time (over using an LLM traditionally) and is less typing, but at roughly 3x the cost.<p>The idea is to make the entire Unix toolset available to the LLM (such as ls, find), along with project specific tooling (such as typescript, linters, treesitter). Basically you can load whatever you want into the container, and let the LLM work on your project inside it. This can be done with a VM as well.<p>I&#x27;ve found this workflow (agentic, driven through a Chat based interface) to be more effective compared to something like Cursor. Will do a Show HN some time next week.<p>[1]: <a href="https:&#x2F;&#x2F;github.com&#x2F;codespin-ai&#x2F;codebox-js">https:&#x2F;&#x2F;github.com&#x2F;codespin-ai&#x2F;codebox-js</a>

Let’s remind ourselves that MCP was announced to the world in November 2024, only 4 short months ago. The RFC is actively being worked on and evolving.

MCP is a dead end for chatbots. Building valuable workflows requires more than tool calling, most importantly, understanding the context of a conversation to adjust the tools dynamically.

Is it just me, or is this thing really, really stupid?<p>I mean the whole AI personal assistant shebang from all possible angles.<p>Imagine, for example if booking.com built an MCP server allowing you to book a hotel room, query all offers in an area in a given time, quickly, effortlessly, with a rate limit of 100 requests&#x2F;caller&#x2F;second, full featured, no hiding or limiting data.<p>That would essentially be asking them to just offer you their internal databases, remove their ability to show you ads, remove the possibility to sell advertisers better search rankings, etc.<p>It would be essentially asking them to keel over and die, and voluntarily surrender all their moat.<p>But imagine for a second they did do that. You get the API, all the info is there.<p>Why do you need AI then?<p>Let&#x27;s say you want to plan a trip to Thailand with your family. You could use the fancy AI to do it for you, or you could build a stupid frontend with minimal natural language understanding.<p>It would be essentially a smart search box, where you could type in &#x27;book trip to Thailand for 4 people, 1 week, from July 5th&#x27;, and then it would parse your query, call out to MCP, and display the listings directly to you, where you could book with a click.<p>The AI value add here is minimal, even non-existent.<p>This applies to every service under the sun, you&#x27;re essentially creating a second Internet just for AIs, without all the BS advertising, fluff, clout chasing and time wasting. I, as a human am dying to get access to that internet.<p>Edit: I&#x27;m quite sure this AI MCP future is going to be enshittified in some way.

Nothing the author said is wrong, but I don’t know how much it matters or if it would’ve been better if it handled all this out of the gate. I think if MCP were more complicated no one would’ve adopted it.<p>Being pretty close to OAuth 1.0 and the group that shaped it I’ve seen how new standards emerge, and I think it’s been so long since new standards mattered that people forgot how they happen.<p>I was one of the first people to criticize MCP when it launched (my comment on the HN announcement specifically mentioned auth) but I respect the groundswell of support it got, and at the end of the day the standard that matters is the one people follow, even if it isn’t the best.

There is one thing I pointed out in <a href="https:&#x2F;&#x2F;taoofmac.com&#x2F;space&#x2F;notes&#x2F;2025&#x2F;03&#x2F;22&#x2F;1900" rel="nofollow">https:&#x2F;&#x2F;taoofmac.com&#x2F;space&#x2F;notes&#x2F;2025&#x2F;03&#x2F;22&#x2F;1900</a> and seems to be missing from the article:<p>&quot;... MCP tends to crowd the model context with too many options. There doesn’t seem to be a clear way to set priorities or a set of good examples to expose MCP server metadata–so your model API calls will just pack all the stuff an MCP server can do and shove it into the context, which is both wasteful of tokens and leads to erratic behavior from models.&quot;

Yeah, I don&#x27;t feel comfortable downloading tiny server programs from random devs on the internet to give my LLM client apps extra &quot;tools&quot;. I can LuLu or LittleSnitch regular apps but not these ones.

I quite liked this article, actually, and I&#x27;m quite an MCP stan. These all seem like legitimate problems that the burgeoning ecosystem needs to figure out. Some of them will be logically solved inside the MCP spec, but I also think some won&#x27;t.

Is anyone successfully using Claude Code along with MCP?<p>I feel like I hear very many stories of some company integrating with MCP, many fewer stories from users about how it helps them.

I have been developing with MCP for a few weeks now, making some small python and javascript servers to integrate with Claude Desktop.<p>I am yet to see a use case that wouldn&#x27;t be better served with an HTTP API. I understand the need to standardize some conventions around this, but at the heart of it, all &quot;tool&quot; use boils down to: 1. an API endpoint to expose capabilities &#x2F; report the API schema 2. other endpoints (&quot;tools&quot;) to expose functionality<p>Want state? (&quot;resources&quot;) - put a database or some random in-memory data structure behind an API endpoint. Want &quot;prompts&quot;? This is just a special case of a tool.<p>Fundamentally (like most everyone else experimenting with this tech), I need an API that returns some text and maybe images. So why did I just lose two days trying to debug the Python MCP SDK, and the fact that its stdio transport can&#x27;t send more than a few KB without crashing the server?<p>If only there was a stateless way to communicate data between a client and a server, that could easily recover from and handle errors...

Does it at least say &quot;END OF LINE&quot; and banish wannabe hackers to the game grid?

MCP has a LangChain smell.<p>Doesn&#x27;t solve a pressing problem that can&#x27;t be solved via a few lines of code.<p>Overly abstract.<p>Tons of articles trying to explain its advantages, yet all somehow fail.

Something that I struggle with in regards to MCP and no-ones really touches on: We don&#x27;t even know if this &quot;general&quot; Chatbot paradigm will persist. So far I got the feeling that we end up building specialized apps for specialized use-cases (e.g. cursor or claude code for coding) These then bring their own set of tools (for file writing, reading, running bash commands, etc.) and don&#x27;t really need MCP (except for very niche use-cases maybe).<p>I don&#x27;t really see the point yet where LLMs become so good that I throw my specialized LLM tools out and do everything in one claude desktop window. It simply doesn&#x27;t work generic enough.<p>Also... if you end up building something custom, you end up having to reimplement the tool calling again anyways. MCP really is just for the user facing chat agents, which is just one section of AI applications. It&#x27;s not as generically applicable as implied.

I think what is not to be overlooked in these discussions, is the user base of MCP.<p>In my experience, many less-technical folks started using MCP, and that makes security issues all the more relevant. This audience often lacks intuition around security best-practices. So it’s definitely important to raise awareness around this.

Great point in the article about tools lacking output schemas. Makes reliable multi-step planning tough.<p>We based Xops (<a href="https:&#x2F;&#x2F;xops.net" rel="nofollow">https:&#x2F;&#x2F;xops.net</a>) on OpenRPC for this exact reason (disclosure: we are the OpenRPC founders). It requires defining the result schema, not just params, which helps plan how outputs connect to the any step&#x27;s inputs. Feels necessary for building complex workflows and agents reliably.

What do we gain by using MCP that cloud not be achieved worth OpenAPI standard. It feels extremely redundant to me.

I feel MCP emerged too quickly. It will take some time and further protocol versions&#x2F;enhancements for it to mature, and address stuff like security. Also it was not vetted by a conventional standards body, but just made public by a company. Lots of hype around it, everyone seems to be talking MCP these days.

MCP have a BAD UI?<p>MCP is not a UI. Seem someone here quite confused about what is MCP.<p>MCP have no security? Someone don&#x27;t know that stdio is secure and over SSE&#x2F;HTTP there was already specs: <a href="https:&#x2F;&#x2F;modelcontextprotocol.io&#x2F;specification&#x2F;2025-03-26&#x2F;basic&#x2F;authorization" rel="nofollow">https:&#x2F;&#x2F;modelcontextprotocol.io&#x2F;specification&#x2F;2025-03-26&#x2F;bas...</a>.<p>MCP can run malicious code? Apply to any app you download. How this is the MCP issue? Happen in vscode extensions. NPM libs. But blame MCP.<p>MCP transmits unstructured text by design?<p>This is totally funny. It&#x27;s the tool that decide what to respond. Annd the dialogue is quite<p>I start feeling this post is a troll.<p>I stopped reading and even worth continuing over prompt injection and so on.

Much like the early days of JS and APIs in general this is presumably going to need time to evolve and settle.

the only one of these points I personally care about is:<p>&gt; The protocol has a very LLM-friendly interface, but not always a human friendly one.<p>similar to the people asking &quot;why not just use the API directly&quot;, I have another question: why not just use the CLI directly? LLMs are trained on natural language. CLIs are an extremely common solution for client&#x2F;server interactions in a human-readable, human-writeable way (that can be easily traversed down subcommands)<p>for instance, instead of using the GitHub MCP server, why not just use the `gh` CLI? it&#x27;s super easy to generate the help and feed it into the LLM, super easy to allow the user to inspect the command before running it, and already provides a sane exposure of the REST APIs. the human and the LLM can work in the same way, using the exact same interface

I don&#x27;t see the problem. I&#x27;ve just been using services with 3 - 10 verbs that the agent can use without adding any that can do harmful things. Even when they have no auth mechanism I can just put a temporary token in the URL.

BetaMax is better than VHS, the latter won.<p>Rkt is better than Docker, later won.<p>${TBD} is better than MCP, my bet is on MCP.

Amazing to see so many comments out here in support of a very new and very boring protocol.<p>I have to think the enthusiasm is coming mostly from the vibe-coding snakeoil salespeople that seem to be infecting every software company right now.

Anybody remember OSGi?<p>I can imagine a plugin-based server where the plugins are applications and AIs that all use MCP to interact. The server would add a discovery protocol.<p>That seems like the perfect use for MCP.

How well the protocol is designed doesn&#x27;t matter, the most popular choice is not necessarily the best one. Sometimes &quot;worse is better.&quot;

A natural follow up: is Google&#x27;s newly launched a2a better equipped to handle these security issues?

Did you read the spec ? Everything you said is already a recommendation.

isnt langchain doing the exact same thing? (sorry ai noob here)

I&#x27;m sure MCP does have legitimate problems and some might even be covered in this article but the author would benefit by spending more time refining their criticisms.<p>There&#x27;s a whole section on how people can do things like analyse a combination of slack messages, and how they might use that information. This is more of an argument suggesting agents are dangerous. You can think MCP is a good spec that lets you create dangerous things but conflating these arguments under &quot;mcp bad&quot; is disingenuous.<p>Id rather have more details and examples on the problem with the spec itself. &quot;You can use it to do bad things&quot; doesn&#x27;t cut it. I can use http and ssh to bad things too, so it&#x27;s more interesting to show how Eve might use MCP to do malicious things to Alice or Bob who are trying to use MCP as intended.

&quot;Authentication is tricky and so it was very fair that the designers chose not to include it in the first version of the protocol.&quot;<p>No, it&#x27;s not fair at all. You can&#x27;t add security afterwards like spreading icing on baked cake. If you forgot to add sugar to the cake batter, there&#x27;s not enough buttercream in the world to fix it.

Yet another piece of rushed technology that&#x27;s being heralded as &quot;the way&quot; which will most certainly be discarded when the next hype-able acronym comes along.<p>The only upside to these technologies being shotgun implemented and promoted is that they&#x27;ll inevitably lead to a failure that can&#x27;t be pushed under the rug (and will irreversibly damage the credibility of AI usage in business).

&gt; It&#x27;s so over<p>&gt; We are so back

MCP is built on JSON-RPC 2.0. JSON-RPC 2.0 is a super lightweight, stateless protocol that lets a client and a server talk to each other using plain old JSON. It’s not tied to HTTP, but it often rides on it. It’s like the chill cousin of REST: no verbs, no URL gymnastics—just methods and parameters, passed as structured JSON.<p>MCP calls itself a “protocol,” but let’s be honest—it’s a framework <i>description</i> wrapped in protocol cosplay. Real protocols define message formats and transmission semantics across transport layers. JSON-RPC, for example, is dead simple, dead portable, and works no matter who implements it. MCP, on the other hand, bundles prompt templates, session logic, SDK-specific behaviors, and application conventions—all under the same umbrella.<p>As an example, I evidently need to install something called &quot;uv&quot;, using a piped script pulled in from the Internet, to &quot;run&quot; the tool, which is done by putting this into a config file for Claude Desktop (which then completely hosed my Claude Desktop):<p><pre><code> { &quot;mcpServers&quot;: { &quot;weather&quot;: { &quot;command&quot;: &quot;uv&quot;, &quot;args&quot;: [ &quot;run&quot;, &quot;--with&quot;, &quot;fastmcp&quot;, &quot;fastmcp&quot;, &quot;run&quot;, &quot;C:\\Users\\kord\\Code\\mcptest\\weather.py&quot; ] } } } </code></pre> They (the exuberant authors) do mention transport—stdio and HTTP with SSE—but that just highlights the confusion here we are seeing. A real <i>protocol</i> doesn’t care how it’s transported, or it defines the transport clearly. MCP tries to do both and ends up muddying the boundaries. And the auth situation? It waves toward OAuth2.1, but offers almost zero clarity on implementation, trust delegation, or actual enforcement. It’s a rats nest waiting to unravel once people start pushing for real-world deployments that involve state, identity, or external APIs with rate limits and abuse vectors.<p>This feels like yet another centralized spec written for one ecosystem (TypeScript AI crap), claiming universality without earning it.<p>And let’s talk about streaming vs formatting while we’re at it. MCP handwaves over the reality that content coming in from a stream (like SSE) has totally different requirements than a local response. When you’re streaming partials from a model and interleaving tool calls, you need a very well-defined contract for how to chunk, format, and parse responses—especially when tools return mid-stream or you’re trying to do anything interactive.<p>Right now, only a few clients are actually supported (Anthropic’s Claude, Copilot, OpenAI, and a couple local LLM projects). But that’s not a bug—it’s the feature. The clients are where the value capture is. If you can enforce that tools, prompts, and context management only work smoothly inside your shell, you keep devs and users corralled inside your experience. This isn’t open protocol territory; it’s marketing. Dev marketing dressed up as protocol design. Give them a “standard” so they don’t ask questions, then upsell them on hosted toolchains, orchestrators, and AI-native IDEs later. The LLM is the bait. The client is the business.<p>And yes, Claude helped write this, but it&#x27;s exactly what I would say if I had an hour to type it out clearly.

TL,DR: &quot;MCP is powerful enough to do useful things. That&#x27;s not OK. Somebody might get hacked.&quot;

Another article accurately critiquing the short-comings of this terrible &quot;spec&quot;.<p>This is exactly why MCP is hardly a mature standard and was not designed to be secure at all making it acceptable for AI agents to claim to execute commands but could also be stealing your credentials or running a totally different command such or could download malware.<p>The spec appears to to be designed by 6 month-old vibe-coding developers learning Javascript with zero scrutiny rather than members of the IETF at leading companies with maximum scrutiny.<p>Next time, Anthropic should consult professionals that have developed mature standards for decades and learn from bad standards such as JWT and Oauth.