AZMX AI
GitHub ↗ Download

Security Guide · 2026-05-26 · 7 min read

Hardening MCP Implementations

Secure your Model Context Protocol servers and clients to prevent unauthorized system access and data exfiltration.

The Model Context Protocol (MCP) allows AI agents to interact with local tools and remote APIs via a standardized interface. However, granting an LLM the ability to execute shell commands or read files creates a significant attack surface. Securing these workflows requires a shift from implicit trust to explicit, gated authorization.

The MCP Attack Surface

MCP operates by connecting a client (the AI orchestrator) to one or more servers (the tool providers) via stdio or HTTP. The primary security risk is not the protocol itself, but the capabilities granted to the server. If an MCP server provides a tool like execute_shell or read_file without constraints, a prompt injection attack can lead to Remote Code Execution (RCE) or sensitive data theft.

Common Vulnerabilities

  • Indirect Prompt Injection: An agent reads a malicious file or webpage that contains instructions to call an MCP tool to exfiltrate ~/.ssh/id_rsa.
  • Over-privileged Servers: Running an MCP server as root or with full disk access.
  • Unvalidated Inputs: Servers that pass LLM-generated arguments directly to a system shell without sanitization.

Core Security Best Practices

1. Implement Human-in-the-Loop (HITL) Approval

Never allow an AI agent to execute write operations or shell commands autonomously. Every tool call that modifies state must be gated by a manual approval. This is the only reliable defense against sophisticated prompt injections.

While tools like Cursor or GitHub Copilot focus on autocomplete and inline edits, sovereign agents require stricter boundaries. AZMX AI implements this by default, requiring a manual click to approve every shell execution or file edit, ensuring the human remains the final arbiter of system change.

2. Strict Path and Resource Deny-lists

Define a strict set of directories the MCP server is forbidden from accessing. At a minimum, the following should be blocked:

- .env
- .ssh/
- .aws/
- /etc/passwd
- .git/config

A robust implementation should use a deny-list that prevents the agent from even seeing these files in a directory listing, rather than just blocking the read operation.

3. Principle of Least Privilege (PoLP)

Run MCP servers as a dedicated, non-privileged user. If a server only needs to query a Postgres database, it should not have access to the local filesystem. Use containers (Docker) or sandboxes (gVisor) to isolate MCP servers from the host OS.

4. Input Validation and Parameterization

Treat every argument provided by the LLM as untrusted input. Avoid using shell=True in Python's subprocess module or similar patterns in Node.js. Use parameterized queries for databases and strict regex validation for filenames.

Comparing MCP Implementations

Different agents handle MCP and tool execution with varying degrees of friction and security. Aider and Cline provide powerful automation but often rely on the user to monitor the terminal output in real-time. Windsurf and Sourcegraph Cody integrate deeply into the IDE, which simplifies the UX but can obscure the exact commands being run.

The trade-off is usually between velocity and verifiability. For production environments or sensitive local machines, verifiability must win. This is why a native binary approach, like the one used in AZMX AI, avoids the overhead of Electron and focuses on a lean Rust backend to manage PTY terminals and approval gates with minimal latency.

Configuring Secure MCP Servers

When configuring your mcp_config.json, avoid hardcoding API keys. Use environment variables and ensure the process manager loading these variables is secure. If using MCP over HTTP, enforce TLS and implement API key authentication for the server endpoint to prevent unauthorized clients from triggering tools.

Checklist for MCP Deployment

  1. Audit Tools: Does the server provide more capabilities than the agent needs?
  2. Validate Gates: Is there a manual approval step for rm, curl, or chmod?
  3. Verify Isolation: Is the server running in a restricted shell or container?
  4. Check Logs: Are all tool calls and their arguments logged for auditing?

Conclusion

MCP is a powerful standard that eliminates the need to write custom glue code for every new tool. However, the convenience of stdio communication should not lead to security complacency. By combining human approval gates, strict deny-lists, and process isolation, you can utilize the power of agentic workflows without compromising your system integrity. For those seeking a hardened environment, the AZMX AI client provides these safeguards natively, ensuring no telemetry is collected and no unauthorized calls are made.

One window. The whole loop.

Download AZMX AI More posts