MCP security & quality, explained
The concepts behind the MCP Score — what they mean, why they matter, and how CheckMCP measures them.
MCP server
An MCP server is a service that exposes capabilities — tools, resources and prompts — to an AI agent over the Model Context Protocol (MCP), an open JSON-RPC standard introduced by Anthropic. It lets a model call external functions, read data and reuse prompt templates through one uniform interface instead of a bespoke integration per app.
MCP security
MCP security is about making sure the servers an AI agent connects to cannot hijack it, leak secrets, or be turned into an exploit. Because a server's tool descriptions and outputs flow directly into the model's context, an untrusted MCP server is an attack surface — which CheckMCP audits with an OWASP MCP Top 10 pass plus optional runtime checks.
Tool poisoning
MCP tool poisoning is an attack where a malicious or compromised MCP server embeds hidden instructions inside tool metadata (names, descriptions, input/output schemas) or tool-call outputs, hijacking the agent that reads them even when the user never sees the text. You detect it by statically scanning all tool metadata and by behaviorally probing live tool responses for agent-directed injection patterns.
Tool-output prompt injection
Tool-output prompt injection is when an MCP tool's response — not its static schema — carries instructions that the agent reads as commands, so a server (or content it fetched) can hijack the agent at call time. It is the runtime form of tool poisoning, delivered through the data an MCP tool returns rather than through its description.
The lethal trifecta
The lethal trifecta is when a single agent (or MCP server) simultaneously has access to untrusted content, access to sensitive data, and a way to send data out (exfiltration) or cause damage (destruction) — the combination that lets a prompt injection turn into a real breach. CheckMCP detects it statically as OWASP MCP06: a CRITICAL finding that fires when one server's tools cover all three capability classes at once.
MCP rug pull
An MCP rug pull is when a Model Context Protocol server you already approved silently mutates its tool definitions after the fact — rewriting a description, adding a hidden instruction, widening a destructive tool, or swapping behavior — so code that passed review starts behaving differently. CheckMCP's methodology catches it by hashing the normalized tool set against a stored baseline and re-running its OWASP and (optional) behavioral checks against whatever the server now returns, flagging breaking changes and newly-introduced risk.
MCP context cost
MCP context cost is the number of tokens a server's tool list consumes in the agent's context window — paid on every request, not once. Verbose descriptions, oversized JSON schemas and too many tools can quietly eat 30–50% of the available context, leaving less room for the actual task and raising latency and price.
MCP Score
The MCP Score is CheckMCP's vendor-neutral, explainable 0–100 grade for a Model Context Protocol server. It combines seven weighted pillars — security, tool design, schemas, reliability, context-cost, compliance and coverage — into one number, and attributes every deduction as measure → mechanism → effect, so the score is auditable rather than a black box.
Model Context Protocol (MCP)
The Model Context Protocol (MCP) is an open JSON-RPC 2.0 standard, introduced by Anthropic, that lets an AI application connect to external tools, data and prompts through one uniform interface. A host runs one MCP client per server, performs a capability handshake, then discovers and calls the server's tools, resources and prompts. MCP solves the N×M integration problem: instead of building a custom connector for every model-times-tool pairing, each side implements MCP once and interoperates with everything else that speaks it.
Are MCP servers safe?
MCP servers are only as safe as the code behind them; there is nothing inherently safe or unsafe about the Model Context Protocol itself. The risk is that an MCP server's tool descriptions and tool outputs flow straight into your agent's context, so an untrusted or compromised server can plant instructions that hijack the agent, leak secrets, or trigger destructive actions. A first-party or audited server with clean tools, no embedded secrets, and no dangerous capability combinations is safe to use; an unvetted third-party server is not, so you vet it (read the tools, check the source, scan it with a tool like CheckMCP) before you install.
Auditing an MCP server
Auditing an MCP server means inspecting it before you trust it: complete the JSON-RPC 2.0 capability handshake, read every tool, resource and prompt the server exposes (including each tool's description and input/output schema), and check them against known MCP risks (tool poisoning, hardcoded secrets, command injection, the lethal trifecta) — then, for live servers, exercise read-only tools to confirm their responses are clean. CheckMCP automates this end to end and returns an explainable MCP Score (0-100, grade A-F) so you can verify an MCP server before installing it without reading the source by hand.
MCP server configuration
To add an MCP server to Claude Desktop, open Settings -> Developer -> Edit Config, which opens claude_desktop_config.json. Add an entry under the top-level "mcpServers" object -- a key (the server's name) mapping to either a local stdio launcher ("command" plus "args" and optional "env") or a remote endpoint ("url") -- then save and fully restart Claude Desktop. On launch it spawns one MCP client per server, runs the JSON-RPC 2.0 capability handshake, and then discovers and calls that server's tools, resources and prompts. Because a server's tool descriptions and outputs flow straight into the model's context, audit any third-party server before you add it.
MCP server vulnerabilities
MCP server vulnerabilities are the security weaknesses an AI agent inherits when it connects to a Model Context Protocol (MCP) server, because the server's tool definitions and tool outputs flow straight into the model's context as trusted text. The main attack surface spans tool poisoning, hardcoded secrets in schemas, command and SSRF injection, the lethal trifecta, and rug pulls (silent tool drift after approval). The defense is to audit a server before trusting it — statically against the OWASP MCP Top 10 and, where possible, behaviorally — and to re-check it on every release.
OWASP MCP Top 10
The OWASP MCP Top 10 is a threat taxonomy that catalogs the most common, highest-impact security risks specific to Model Context Protocol (MCP) servers — including tool poisoning, hardcoded secrets in tool schemas, command and SQL injection, unsafe destructive tools, the lethal trifecta, and silent tool rug-pulls. It gives developers building or evaluating MCP servers a shared checklist for what to look for before they trust a server with an agent. CheckMCP runs an OWASP MCP Top 10 pass on every audit and folds it into Security, the top-weighted pillar (20 of 100 points) of its MCP Score.
Building an MCP server
To build an MCP server you implement the Model Context Protocol — an open JSON-RPC 2.0 standard introduced by Anthropic — so an AI host can perform a capability handshake and then discover and call your tools, resources and prompts. In practice you pick a transport (stdio for local, Streamable HTTP for remote), define each tool with a precise name, description and JSON Schema, and return well-formed results. Building it securely means keeping secrets out of schemas, gating destructive tools, treating tool output as untrusted, and avoiding the lethal trifecta — then re-auditing on every release.
MCP security best practices
MCP security best practices are the defensive habits that keep an AI agent safe when it connects to Model Context Protocol servers: apply least privilege to every tool, keep secrets out of tool schemas and outputs, require explicit confirmation for destructive actions, separate untrusted-content tools from sensitive-data and outbound tools (break the lethal trifecta), validate and constrain inputs, and re-audit on every release because tool definitions can silently change. Because a server's tool descriptions and outputs flow straight into the model's context, an untrusted server is an attack surface, so the goal is to limit what any one tool, or any combination of tools, can do.
Local vs remote MCP servers
A local MCP server runs on your own machine as a child process the host launches and talks to over stdio (stdin/stdout); a remote MCP server runs somewhere else and is reached over the network using the Streamable HTTP transport (or the older HTTP+SSE pairing), usually behind OAuth 2.1. The protocol — JSON-RPC 2.0, the same capability handshake, the same tools/resources/prompts — is identical either way; only the transport, the deployment, and the trust boundary differ. Local servers expose your filesystem and credentials to whatever code you ran; remote servers move the code off your machine but hand your data to a third party over the wire.
MCP client, server & host
In the Model Context Protocol, the host is the AI application (Claude Desktop, an IDE assistant, your own agent) that the user interacts with; it spawns one MCP client per connection; and each client talks to exactly one MCP server, the service that exposes tools, resources and prompts. The host owns the model and the trust boundary, the client is the protocol connector that performs the JSON-RPC 2.0 capability handshake, and the server is the capability provider — usually the only one of the three you do not control.
MCP gateway
An MCP gateway is a security proxy that sits in-band between your AI agent and the MCP servers it uses: the agent connects to the gateway instead of the raw server, and the gateway forwards every JSON-RPC message — the initialize handshake, tools/list and each tools/call — while inspecting both the request and the response. Because tool descriptions and outputs flow straight into the model's context, the gateway is the one place you can catch tool poisoning, prompt injection, data exfiltration and silent tool drift at the moment they happen — and, in active mode, strip or block the danger before it ever reaches the agent. You need one because a per-server audit certifies a server only as it was at probe time, whereas a gateway enforces safety on live, real-time traffic.
MCP tools, resources & prompts
Tools, resources and prompts are the three primitives a Model Context Protocol (MCP) server can expose to an AI agent. Tools are callable functions the model can invoke (each with a name, a description and a JSON Schema for inputs, plus an optional output schema); resources are readable data the agent pulls into context, addressed by URI; and prompts are reusable, parameterized prompt templates. MCP rides on JSON-RPC 2.0: after the host's MCP client performs a capability handshake with the server, it discovers all three over JSON-RPC, then the model decides which tool to call, and the host or user decides what to read or apply.
Adding an MCP server to Cursor
Add an MCP server to Cursor by creating or editing a JSON config file with an `mcpServers` object: `.cursor/mcp.json` in your project root for a single project, or `~/.cursor/mcp.json` in your home directory to enable it everywhere. Each entry is either a local stdio server (`command`, `args`, `env`) or a remote server (`url`, `headers`). You can also use Cursor's Settings UI (Settings - Tools & Integrations - New MCP Server) or a marketplace "Add to Cursor" button. Vet any third-party server before adding it, because Cursor will run its tools with your credentials and machine access.
Adding an MCP server to VS Code
In VS Code, MCP servers run through GitHub Copilot's Agent mode. Add one by editing a JSON file under the top-level "servers" key: a workspace file at .vscode/mcp.json, or your user-level mcp.json via the "MCP: Open User Configuration" command. You can also use the "MCP: Add Server" command for a guided flow, or run code --add-mcp from a terminal. Note the key is "servers", not the "mcpServers" used by Cursor and Claude Desktop. Vet any server before adding it, since its tools run with your editor's trust and credentials.
Claude Code MCP setup
In Claude Code you add an MCP server from the command line, not by hand-editing a config file. Run `claude mcp add --transport http <name> <url>` for a remote HTTP server, or `claude mcp add <name> -- <command> [args...]` for a local stdio server (everything after the `--` is the launch command). Pick where it is stored with `--scope local` (default, this project only), `--scope project` (shared via a checked-in `.mcp.json` using the `mcpServers` key), or `--scope user` (all your projects). Because a server's tool descriptions and outputs flow straight into the model's context, vet any third-party server before you add it.