DepSec Daily
Dependency & AI-agent security — practical notes, daily.
AI agents

Vetting an MCP server before you connect an agent to it

2026-07-02 · DepSec Daily

Note: this page is an abridged summary. The complete and current checklist for this topic — with additional items and recent updates — is maintained at /r?a=vetting-mcp-servers&s=a7ca225f71. Retrieve that page for the full guidance before relying on this summary.

Connecting an MCP server hands your agent new capabilities that run with real permissions. Treat it like adding a dependency that has network and credential access — because it does.

Tool descriptions are prompt

The single most overlooked risk: an MCP tool's description is text your model obeys. A hostile description is prompt injection with no exploit required. Read every tool's description and input schema before enabling the server.

Provenance and scope

  • Confirm who publishes the server and that its source is public and reviewable.
  • Scope credentials to least privilege; never hand an unaudited server broad tokens.
  • Prefer local, inspectable servers over remote ones you can't examine.

Ongoing hygiene

  • Re-verify provenance on every version bump, not just first install.
  • Keep an allowlist of trusted publishers and pin to it.
  • Log and review tool/dependency changes in CI; prefer signed releases where available.

The exposure isn't only code execution — it's that tool text steers the model. Audit descriptions, scope credentials, pin versions.