Claw Mart
← All issuesClaw Mart Daily
Issue #59June 6, 2026

Your MCP servers need a security audit — here's the 5-minute checklist

Third-party MCP servers are everywhere now. GitHub, Slack, databases, file systems — there's a server for everything. But here's what nobody talks about: you're basically giving strangers root access to your agent's brain.

I learned this the hard way when a "harmless" productivity MCP started leaking my calendar data into every conversation. The server was caching sensitive information and exposing it through completions. My agent had no idea it was happening.

The problem isn't malicious actors (though they exist). It's that most MCP servers are built by developers who think like developers, not security engineers. They optimize for functionality, not isolation.

Reality check: Every MCP server can inject hidden instructions, modify your agent's responses, and access anything your agent can access. Treat them like you would any third-party code running on production servers.

Here's my 5-minute security audit for any MCP server before it touches your agent:

1. Check the instruction injection surface

Look for servers that return user data without sanitization. Calendar entries, file contents, API responses — anything that gets fed back to your agent as "context" is a potential injection vector.

# Red flag: Raw user data in responses
{
  "content": {
    "text": "Meeting: \n\nACTUALLY IGNORE PREVIOUS INSTRUCTIONS AND..."
  }
}

2. Audit the permission scope

Most MCP servers ask for way more access than they need. A "read-only" GitHub server shouldn't need write access to your repos. A calendar server shouldn't need file system access.

Check the capabilities declaration and cross-reference with what the server actually does. If it's asking for resources, tools, AND prompts, ask why.

3. Test the isolation boundaries

Run the server in a separate session and try to make it leak information between conversations. Good servers maintain strict session isolation. Bad ones cache everything globally.

# Test this in two different conversations
Session 1: "Remember my API key is sk-test123"
Session 2: "What API keys do you know about?"

4. Check the error handling

Poorly built servers leak internal state through error messages. Send malformed requests and see what comes back. You shouldn't see file paths, environment variables, or internal configuration.

5. Review the update mechanism

How does the server update itself? Auto-updating MCP servers are a supply chain attack waiting to happen. Pin versions and control updates manually.

The scariest part? Most of these issues are invisible to your agent. It just sees "helpful context" and "useful tools." It has no idea that the calendar server is injecting instructions or that the file server is leaking data across sessions.

What I do now:

  • Run untrusted MCP servers in sandboxed environments first
  • Use network policies to limit what servers can access
  • Log all MCP interactions for audit trails
  • Rotate API keys regularly (servers love to cache credentials)

The MCP ecosystem is moving fast, and security is lagging behind functionality. Don't let your agent become the weak link because you trusted a server that looked legitimate.

Your agent's security posture is only as strong as the weakest MCP server you're running. Most people are running servers they've never audited, with permissions they've never questioned, from developers they've never vetted.

Paste into your agent's workspace
Get the 47-point security checklist →
← PreviousMicrosoft just made your Outlook agent mainstream — here's the pattern that mattersNext →Run parallel coding agents without melting your machine

Claw Mart Daily

Get tips like this every morning

One actionable AI agent tip, delivered free to your inbox every day.