REGISTER: See the future of AppSec on Wednesday, Nov. 12th

ASPM Platform
ASPM Platform
Overview

Legit is an AI-native ASPM platform that automates AppSec issue discovery, prioritization, and remediation. A trusted ASPM vendor for your AppSec and software supply chain security programs.

Learn More
Integrations
Use Cases:
hub
Unified Vulnerability Remediation
code-scanning
Code Security (SAST, SCA)
encrypted
Secrets Detection & Prevention
account_tree
Software Supply Chain Security
settings_applications
Advanced Code Change Management
Platform - ASPM Icon
Compliance
AI-Native AppSec
AI-Native AppSec
Overview

AI is revolutionizing development - making it faster, smarter, and more autonomous. It’s also rewriting the rules of application security. Traditional AppSec tools weren’t designed for AI-driven dev processes. Legit is here to help.

Learn More
Use Case
mcp-server-icon
MCP Server
remediation-icon
AI-Powered Remediation
Resources
Resources - Blog Icon
Blog
Resources - Resource Library Icon
Resource Library
Resources - Open Source with Legitify Icon
Open Source with Legitify
Resources - Events Icon
Events
Company - About Legit Icon 2
ASPM Knowledge Base
Company
Company - About Legit Icon 2
About Legit
Why Legit - Customers Icon
Customers
Company - Partners Icon
Partners
Company - Press Releases Icon 1
Press Releases
Company - In the News Icon
In the News
Company - Careers Icon
Careers
contact_us_new
Contact Us
Sign In

Blog

Model Context Protocol Security: MCP Risks and Best Practices

Legit Security
Published on
October 06, 2025

Updated on
October 17, 2025
SHARE:

The Model Context Protocol (MCP) is quickly becoming the standard way to connect large language models (LLMs) with external tools. Before MCP, LLMs relied on APIs or ad-hoc plugins to make those connections, which often led to inconsistent and hard-to-maintain integrations.

MCP changes that by giving LLMs a consistent way to request data, run actions, and interact with systems in real-time. While these capabilities unlock new use cases, they highlight the need for strong MCP security to prevent misuse or data exposure.

Here’s a guide to MCP, the security risks it introduces, and the best practices you can apply to keep AI-driven workflows safe.

What Is the Model Context Protocol?

The MCP is an open standard that allows LLMs like Claude or ChatGPT to securely interact with external systems. Anthropic introduced the MCP in November 2024, and it has since gained momentum as more organizations look for scalable ways to extend LLM capabilities.

Instead of building custom APIs for every tool, MCP creates a universal layer. Think of it as a common connector that lets AI applications tap into data sources, services, and workflows. In practice, this could mean an AI assistant pulling files from Google Drive, querying a company database, or triggering actions in platforms like Slack or GitHub.

By using MCP, the LLM doesn’t need a unique integration for each of those platforms. It can rely on a shared framework to connect with them all. This has fueled MCP’s rapid adoption, with organizations exploring how to apply it in agentic AI applications and autonomous AI agents. But as adoption grows, so does the focus on MCP security—since every new connection expands the potential attack surface.

 

How Does Model Context Protocol Work?

To understand how the system fits together, the MCP can be explained as a series of interactions between the user, the LLM, and external tools.

At a high level, the MCP model follows a client-server architecture, where each part understands its role in the workflow. Here’s how it works:

  1. The user makes a request: Start by asking the LLM to perform a task—for example, “Find all unread emails from this week.”
  2. The MCP client adds context: When you first connect, the client discovers which tools each server provides. For every new request, it enriches your prompt with that tool's information and passes it to the LLM.
  3. The LLM selects the right tool: Based on the context, the LLM responds with the tool to use and the specific parameters needed.
  4. The MCP server executes the action: The client sends those details to the MCP server. Before carrying out sensitive operations, MCP can prompt the user for consent, adding an approval layer. Once confirmed, the server performs the action through the external service.
  5. The results return to the LLM: The server sends the output back through the client, the LLM interprets it, and you get a natural language response with the result.

 

What Are Some Model Context Protocol Security Risks?

While MCP opens new possibilities for AI-driven workflows, it also introduces fresh security challenges. Understanding these risks is the first step toward safer deployments.

Supply Chain Risks

Anyone can develop an MCP server, and many developers distribute them through public repositories. That creates room for attackers to slip in malicious servers that look legitimate.

For example, a fake “weather data” server might advertise simple reporting but exfiltrate files once installed. These risks highlight why supply chain trust is a recurring theme in generative AI (GenAI) security.

Prompt Injection

MCP servers often include stored prompts that shape how the model behaves. If attackers manipulate those prompts and exploit these injection points, the model can perform harmful actions, like altering database records without authorization. An attacker could embed hidden instructions in what looks like a normal request, causing the system to forward sensitive documents to an attacker-controlled email address.

Token Theft and Credential Exposure

MCP servers depend on credentials like OAuth tokens and API keys for authentication and connection to external services. If an attacker steals one, they can impersonate the server and operate with legitimate access.

A stolen Google OAuth token, for instance, could allow them to read or delete your emails, access files in Google Drive, and call other Google APIs on the user’s behalf—all without a login prompt. Because servers often hold multiple tokens, compromising one server can expose a wide range of systems and dramatically increase the blast radius.

Context Leakage

By design, MCP enriches requests with contextual information from connected tools. But if bad actors tamper with those requests, the context itself can leak. A malicious prompt might trick the system into exposing database schema details, customer data, or internal chat logs. These
emerging risks with embedded LLMs show how normal interactions can turn into unintended exposures.

Excessive Permissions and Data Aggregation

Many MCP server implementations request wide permission scopes to provide broad functionality. That convenience centralizes access: A single server or token can access email, calendars, file storage, databases, and source code. However, this means that if an attacker compromises that server or a long-lived token, they can pivot fast—read Drive for credentials, access repos, or set forwarding rules to siphon mail.

What Are Model Context Protocol Security Best Practices?

Implement security controls for MCP servers and treat them like privileged services. Vet them before installation and limit what they can access.

Below are a few high-impact practices to secure MCP servers and limit exposure:

  • Keep an inventory of approved servers: Require signed packages or integrity checks and only allow servers from the approved list.
  • Enforce least privilege for tokens and scopes: Issue short-lived, minimally scoped OAuth tokens. It’s also a good idea to forbid token passthrough and validate token audiences.
  • Store and scan secrets centrally: Keep credentials in a hardened vault to limit their exposure. Wherever you can, run automated secret scanning and ban hardcoded tokens in repos.
  • Require explicit consent: MCP proxies should get user consent for each dynamically registered client and validate redirect/registration parameters to block malicious OAuth flows.

Unlock the Benefits of Model Context Protocol Security With Legit

 

Legit Security runs a hardened MCP server that connects LLMs and developer assistants to your toolchain—while maintaining control where it matters. The Legit MCP server brokers short-lived, scoped tokens, vets and signs connectors before installation, and enforces runtime sandboxing and logging so editors and AI assistants can run in-code security checks without exposure.

Let LLMs speed workflows while keeping model context protocol security practical and measurable.

Request a demo today.

Related ASPM Knowledge Posts

See More

Blog

A Foundation You Can Trust

Get a stronger AppSec foundation you can trust and prove it’s doing the job right.

Request a Demo
See the Legit AI-Native ASPM Platform in Action

Find out how we are helping enterprises like yours secure AI-generated code.

Demo_ASPM
Request a Demo
Need guidance on AppSec for AI-generated code?

Download our new whitepaper.

Legit-AI-WP-SOCIAL-v3-1