Model Context Protocol

Three CVEs discovered: malicious code in documents can exfiltrate private data; Model Context Protocol (MCP) allows repository config to override user approval safeguards enabling remote code execution; repository-controlled settings redirect API traffic to attacker servers to steal API keys.

Many MCP tools run with full host access (launched via npx or uvx) with no isolation or sandboxing. Credentials are commonly passed as plaintext environment variables, exposing sensitive data. Tools lack enterprise-ready features like policy enforcement and audit logs.

Building Model Context Protocol (MCP) servers from scratch requires developers to navigate complex boilerplate code and detailed protocol specifications. The official SDK leaves many implementation details to developers, including server component configuration, connection handling, tool management, response handling, resource management, and content embedding.

The robustness of agentic solutions depends on API quality used by MCP servers. MCP tools reference individual API endpoints, and poor API quality directly reduces the LLM client's ability to accurately discover and execute user prompts.

MCP servers lack built-in support for production workloads including proper memory limits, concurrent request handling, rate limiting, health checks, persistent storage, and state management. Developers must manually implement these critical infrastructure concerns.

Every tool call requires a round-trip cycle: LLM calls tool, result flows back through context, LLM reasons, calls next tool. Intermediate results that only feed the next step burn tokens repeatedly, reducing efficiency in multi-step workflows.

40% of enterprise respondents cited cost of implementation or running costs as a barrier to MCP adoption, making it a significant financial consideration for organizations evaluating the technology.

The MCP Python SDK features excessive wrappers and accessors that complicate simple tasks that could be handled with straightforward JSON, creating a confusing developer experience rather than practical solutions.

Despite expectations for widespread MCP adoption, only ~10 MCP servers from major companies see heavy use. The ecosystem has a massive long tail of public servers with near-zero users, indicating incomplete ecosystem maturity and uncertain value for public-facing use cases.

Standard MCP implementations lack comprehensive documentation and helpful error messages, making troubleshooting difficult. Developers struggle with limited examples and unclear guidance compared to abstraction frameworks.