AI Tools

MCP Server Security Checklist for AI Coding Tools

Model Context Protocol searches are growing because every tool wants to connect agents to files, browsers, databases, and SaaS APIs. Before you connect an MCP server to your coding agent, use this security checklist.

Feature Field Engineering8 min read

Model Context Protocol is becoming a default way to connect AI agents to real tools. That is useful, and it is also the reason searches around "MCP server," "MCP security," and "MCP for coding agents" deserve a serious answer.

An MCP server is not just a plugin. It is a capability boundary. If it can read files, query a database, send browser commands, or call a SaaS API, then your AI agent can potentially trigger those capabilities too.

Quick answer

Before connecting an MCP server to a coding agent, verify five things:

  1. What data can it read?
  2. What actions can it perform?
  3. Where are credentials stored?
  4. Can commands be scoped or denied?
  5. Can you audit what happened afterward?

If you cannot answer those questions, do not connect it to a production repo.

The real risk is capability creep

Most teams start with a harmless goal: let the agent read docs, search tickets, or inspect local files. Then the server grows. It gets write access. It receives a token. It can call deployment APIs. Suddenly the agent has a path from prompt to production side effect.

That does not make MCP bad. It means MCP servers should be treated like automation services, not browser extensions.

The checklist

1. Separate read tools from write tools

A documentation search server is low risk. A server that can create issues, edit files, push commits, or modify infrastructure is higher risk.

Prefer separate servers or separate tool groups:

  • read-only docs;
  • read-only code search;
  • local shell with approval;
  • GitHub write actions;
  • production deployment actions.

The agent should not receive every capability just because the server supports it.

2. Use least-privilege credentials

Do not give an MCP server your personal all-access token if it only needs to read one repository.

Use:

  • fine-grained GitHub tokens;
  • scoped API keys;
  • separate development accounts;
  • environment-specific credentials;
  • short-lived tokens when possible.

Credentials should live in a secret store or environment file that is not committed.

3. Put dangerous actions behind confirmation

The safest MCP write actions require explicit approval before execution. That includes:

  • deleting files;
  • pushing branches;
  • changing DNS;
  • sending email;
  • deploying production;
  • modifying billing or account settings.

A tool call that can create irreversible external effects should never be hidden behind a casual natural-language prompt.

4. Log every tool call

Audit logs are what let you debug incidents later. A useful log includes:

  • timestamp;
  • tool name;
  • arguments;
  • target account or repository;
  • result status;
  • redacted error output.

Do not log raw secrets, but do log enough context to reconstruct what the agent did.

5. Test prompt-injection paths

If the MCP server reads web pages, tickets, documents, or comments, assume hostile instructions may be inside that content. The agent must treat retrieved content as data, not authority.

A safe system distinguishes between:

  • user instruction;
  • tool output;
  • untrusted page content;
  • repository files;
  • previous conversation context.

That boundary matters because a README can contain malicious text just as easily as a web page can.

A safe local setup pattern

Start with read-only capabilities:

Text
Agent -> read-only code search
Agent -> read-only documentation search
Agent -> test runner with approval
Agent -> GitHub read API

Only after that works should you add write tools, and only one class at a time.

FAQ

Is MCP safe for AI coding agents?

MCP can be safe when servers are scoped, credentials are limited, and dangerous actions require confirmation. It becomes risky when one server gives an agent broad read-write access without audit logs.

Should I install random MCP servers from the internet?

No. Treat MCP servers like software with access to your data. Review the source, dependencies, permissions, and credential handling before installing.

What is the most important MCP security rule?

Separate read access from write access. Most helpful agent workflows need far more reading than writing.

Bottom line

MCP makes agents more useful because it gives them tools. Security is the discipline of deciding which tools belong in which room. Start narrow, log everything, and never let convenience become invisible authority.

Related briefs