Connecting a Model Context Protocol (MCP) server to your coding agent feels like adding a browser extension: edit a JSON file, restart the client, done. The difference is what you just granted. An MCP server can read your repository, execute shell commands, query your database, and hold the API tokens you handed it during setup. Until recently, nothing inspected whether the server you trusted in that 30-second flow deserved it.

GitHub's rollout of security scanning for MCP servers is the first ecosystem-level attempt to close that gap. It works the way an immune system does — not by making the host invulnerable, but by recognizing known threats fast and flagging the suspicious before it spreads. We walked the connection flow in Copilot, Cursor, and Claude Desktop to see where the new checks fit and, more usefully, where they stop.

The attack surface you opened

MCP is an open standard that lets an AI agent call external tools through a server — a filesystem server, a GitHub server, a Postgres server, a Slack server. The agent reads each server's advertised list of tools, picks one, and the server runs it. That design is what makes agents useful. It is also three separate attack surfaces.