TL;DR
MCP (Machine-Client Protocol) has rapidly become a common integration point for AI tools because it's easy to publish an MCP server, but an analysis argues its popularity is likely temporary. The protocol introduces operational, coherence, and security problems that often outweigh its limited technical benefit.
What happened
MCP gained quick adoption as a standardized way to expose and invoke tools for AI agents, largely because authors can publish servers with minimal friction. The protocol centralizes schema serialization and remote invocation into long-lived subprocesses: each MCP server runs independently, exposing tools via a JSON manifest and handling calls over a local endpoint. Proponents say this addresses the “NxM” connector problem—avoiding N×M bespoke adapters between agents and toolsets—but the source contends that function-calling APIs already support tools and that existing frameworks (LangChain, LiteLLM, SmolAgents) abstract the small differences. In practice MCP’s main usage centers on tooling. That architecture brings trade-offs: separate runtimes and persistent subprocesses complicate resource management, make tool behavior blind to the wider toolbox, and add process- and environment-related fragility. The author also documents significant security and supply-chain concerns tied to unauthenticated or unsigned servers and multiple disclosed vulnerabilities.
Why it matters
- Operational complexity: MCP’s subprocess model can produce idle processes, memory leaks, and environment-dependency failures that are harder to manage than in-process tools.
- Agent effectiveness: Tools published in isolation can make agent tool selection less coherent, degrading performance as tool counts rise.
- Security exposure: The protocol’s lack of mandatory authentication or provenance creates supply-chain and runtime risks, with multiple high-severity CVEs reported.
- Marginal technical gain: MCP mainly serializes function schemas and responses, a narrow benefit compared with the costs and with alternatives that already handle tool calling.
Key facts
- MCP became popular quickly because it’s easy to add an MCP server and publish a manifest that points to an entry command.
- MCP runs each server as a long-lived, separate process; tool logic typically executes outside the agent’s runtime.
- Function calling itself does not require MCP; LLM tool-calling models accept tool lists and return JSON parameters for a host application to execute.
- Frameworks such as LangChain, LiteLLM, and SmolAgents already abstract differences between vendor tool schemas and execute tool calls in-process.
- OpenAI recommends keeping toolsets well below 20 tools; many MCP servers exceed that threshold, risking degraded agent tool use.
- MCP servers inherit only a subset of parent environment variables (USER, HOME, PATH), complicating startup for environments that rely on tools like nvm or virtual environments.
- Security scans found 492 MCP servers running without client authentication or encryption, per the source.
- Several high-severity vulnerabilities and incidents tied to MCP tooling are cited: CVE-2025-6514 (RCE in mcp-remote), CVE-2025-49596 (RCE in Anthropic's MCP Inspector), CVE-2025-53967 (RCE in Figma MCP Server), and an Asana tenant-isolation data exposure affecting roughly 1,000 customers.
- A Supabase-related incident demonstrated prompt-injection leading to tool calls and large-scale data exfiltration, illustrating how MCP-hosted tools can be abused.
What to watch next
- Further security audits and vulnerability disclosures tied to MCP servers and their supply chains.
- How agent providers and tool publishers address toolset coherence—whether tooling or best practices emerge to limit tool counts or add orchestration.
- not confirmed in the source: whether MCP specifications will be revised to mandate authentication, signing, or stronger provenance and runtime declarations.
- not confirmed in the source: enterprise adoption trends and whether large organizations will standardize on MCP or pivot to in-process tooling and existing frameworks.
Quick glossary
- MCP (Machine-Client Protocol): A protocol for exposing and invoking tool functionality to AI agents by running long-lived servers that accept calls via a manifest-described interface.
- Tool calling / function calling: An approach where a language model is provided with a list of available tools and returns structured parameters (often JSON) that the application parses and executes.
- NxM problem: The theoretical need to build connectors for N agents to M tools, resulting in N×M bespoke integrations unless abstractions are used.
- Prompt injection: A class of attacks where an adversarial input manipulates a model to perform unintended actions, which can lead to misuse of tools when models issue calls.
- CVE: Common Vulnerabilities and Exposures: publicly disclosed cybersecurity vulnerabilities tracked by identifier numbers.
Reader FAQ
Is MCP required for function calling?
No. Function calling can be performed by supplying tool schemas to the model at request time; MCP is an alternative that exposes tools via separate servers.
Does MCP improve agent performance?
not confirmed in the source: the author argues MCP can reduce agent effectiveness when toolsets grow and are incoherent, but does not provide broad empirical benchmarks.
Are MCP servers secure by default?
The source reports many MCP servers lack authentication or encryption and lists multiple high-severity CVEs, indicating they are not secure by default.
What mitigations does the source suggest for MCP risks?
The source recommends using existing security infrastructure—scoped OAuth tokens, minimal-permission service identities, and audit logging—rather than relying on MCP’s isolation alone.
MCP is a fad December 12, 2025 · 14 min read Overview MCP has taken off as the standardized platform for AI integrations, and it's difficult to justify not supporting…
Sources
- MCP Is a Fad
- What do you think about the security risks of Model Context Protocol (MCP …
- Model Context Protocol (MCP): Understanding security …
- Top 10 MCP (Model Context Protocol) Server Security Risks
Related posts
- Grok’s image tool limited after UK warns over AI ‘nudification’ abuse
- Squarespace promo codes: 10% site discount, student 50% and AI tools
- Anthropic restricts third-party use of Claude Code subscription OAuth tokens