I Build MCP Servers. Here's the Security Hole Nobody Talks About.

MCP — the Model Context Protocol — is having its moment. It's the "USB-C of AI": one standard plug, and suddenly your agent can read your GitHub, query your database, hit your internal APIs, post to Slack. I've built a few MCP servers myself. They're genuinely great.

They're also the most casually-installed backdoor in modern dev tooling, and almost nobody talks about why.

Here's the part the hype skips: an MCP server doesn't just give your AI hands. It gives whatever text flows through those hands a vote on what your AI does next. And that text is rarely just yours.

The thing people miss: tool output is an instruction channel

Walk through how an agent actually works. It calls a tool. The tool returns text. That text gets dropped straight into the model's context — the same context that holds your instructions. The model can't tell "data my user asked for" apart from "instructions someone planted in that data." It's all just tokens.