So today I am stating something new and miraculous is coming! Or not so miraculous... 🤦‍♂️ How knows, but I am starting a TikTok account. So look out for an account to pop up next week. This week, we are dealing with the Model Context Protocol (MCP) in all its wonders. In the investigative piece that follows the "News from around the web", we delve deep into the MCP, and in the academic article, we introduce McpSafetyScanner!

I will also build with MCP, but that's in a future edition. First, let's get this show on the road.

Connect your email, and you’ll instantly get a CRM with enriched customer insights and a platform that grows with your business.

With AI at the core, Attio lets you:

Join industry leaders like Granola, Taskrabbit, Flatfile and more.

👉Try Attio Pro for free

Raspberry Pi AI HAT+ 2: Setup with Pi 5 & LLM Performance

Remove Windows AI

OpenAI Partners with Cerebras to Bring High-Speed Inference to the Mainstream

Airbnb poaches former Meta GenAI leader to be new technology chief

The New Open Source Chinese AI Trifecta

Modern AI assistants are reaching unprecedented levels of reasoning. Architecturally, whoever they are, trapped behind information silos and legacy systems, unable to connect with the data and tools where real work happens. This has led to a landscape of brittle, point-to-point integrations, creating a costly and unscalable problem. To address this, the Model Context Protocol (MCP) has been introduced as a definitive solution: a universal, open standard designed to forge a secure, two-way connection between AI systems and the vast landscape of external data and tools.

To truly grasp the significance of the Model Context Protocol, one must first understand the fundamental distinction between an AI that knows something and one that can do something. This distinction marks the evolution of AI assistants from simple information retrieval engines to sophisticated agents capable of executing tasks. The difference is best illustrated by comparing the dominant preceding pattern, Retrieval-Augmented Generation (RAG), with the new paradigm enabled by MCP.

Imagine you are planning to cook dinner. The RAG approach is like texting a friend for their favourite pasta recipe. They reply with a list of ingredients and instructions, providing external information you can act on. The core function of RAG is to fetch relevant context, which helps the model formulate a better, more informed answer. You are still doing all the work of cooking, but you now have better information to guide you.

In contrast, the MCP approach is like having a collaborator in the kitchen with you. This collaborator not only finds the recipe but also checks your fridge for ingredients, adapts the plan based on what's available, and even begins prepping the vegetables. MCP enables a model to plan, reason, and carry out a full task. It moves beyond simply retrieving information to executing actions in the real world. In short, RAG gives a model a better memory; MCP provides a model with hands.

To truly grasp the significance of the Model Context Protocol, one must first understand the fundamental distinction between an AI that knows something and one that can do something. This distinction marks the evolution of AI assistants from simple information retrieval engines to sophisticated agents capable of executing tasks. The difference is best illustrated by comparing the dominant preceding pattern, Retrieval-Augmented Generation (RAG), with the new paradigm enabled by MCP.

Imagine you are planning to cook dinner. The RAG approach is like texting a friend for their favourite pasta recipe. They reply with a list of ingredients and instructions, providing external information you can act on. The core function of RAG is to fetch relevant context, which helps the model formulate a better, more informed answer. You are still doing all the work of cooking, but you now have better information to guide you.

In contrast, the MCP approach is like having a collaborator in the kitchen with you. This collaborator not only finds the recipe but also checks your fridge for ingredients, adapts the plan based on what's available, and even begins prepping the vegetables. MCP enables a model to plan, reason, and carry out a full task. It moves beyond simply retrieving information to executing actions in the real world. In short, RAG gives a model a better memory; MCP provides a model with hands.

A set of five core primitives activates the MCP architectural model. These primitives function as a standardised vocabulary, creating a common language that allows AI models and external systems to communicate capabilities, request actions, and exchange data securely and effectively.

MCP servers support three primitives to expose their functionality:

Two corresponding primitives exist on the client side to manage interaction and security:

Together, these five primitives create a robust and flexible framework that moves AI integration beyond simple API calls and into a new realm of dynamic, context-aware collaboration.

The actual practical value of MCP's architectural elegance and functional primitives lies in its ability to solve the costly and complex problems. In the past, connecting 10 different tools to 10 different LLMs would require 100 unique, custom-coded integrations. MCP requires only 20 implementations (10 servers and 10 clients), fundamentally changing the scaling dynamics of the ecosystem.

MCP resolves this integration challenge by introducing a single, unified standard. A tool builder implements the server-side protocol just once, making their tool instantly available to any compatible AI system. Likewise, an LLM vendor implements the client-side protocol once, allowing their model to connect to any MCP-compliant tool. This transforms a tangled web of custom connectors into a plug-and-play ecosystem.

This architecture enables a sophisticated, multi-turn reasoning process, as illustrated by an appointment-scheduling example:

This multi-turn dialogue, moving from ambiguity to planning to concrete action, showcases how MCP enables an AI to reason in a structured and reliable way.

While integrating local desktop tools is a powerful demonstration, the true, transformative potential of MCP lies in its application for building professional, enterprise-grade agentic AI systems. The protocol provides the architectural foundation needed to move beyond simple enhancements and construct complex, reliable, and scalable AI applications.

The key architectural benefits that MCP brings to enterprise development are pluggability, discoverability, and composability. Developers can now build AI applications that discover and utilise capabilities from various MCP servers without needing to hard-code those integrations. This is possible because an application can dynamically query a server for its available tools and resources at runtime, allowing for flexible systems that can adapt and evolve without constant redevelopment.

Giving AI the ability to interact with powerful tools, such as the penetration testing suite Kali Linux, elevates the conversation from technical implementation to profound responsibility. A rigorous commitment to ethical use and human oversight must accompany the power to automate complex, high-impact tasks.

Several critical considerations must guide the deployment of MCP-enabled systems. First and foremost is the absolute necessity of obtaining explicit, written permission before directing an AI to scan or test any system. Automating actions against systems without authorisation is not only unethical but also illegal. It is also essential to recognise that MCP and the agents it empowers are not replacements for human expertise. All AI-suggested actions require critical verification by a qualified professional.

The risk of "over-automation" is significant, as automatically running AI-generated commands without review could lead to unintended outages, data loss or even worse. This mandates the implementation of human-in-the-loop validation as a non-negotiable control mechanism for any action that causes an effect "out in the world."

The Model Context Protocol represents a foundational leap toward a future of truly context-aware, agentic AI. More than just a tool, it is emerging as the TCP/IP-like protocol for an internet of interconnected AI agents. The pace of innovation in this new era will depend not only on technical development but also on our collective commitment to building these robust systems safely, transparently, and ethically.

The MCP protocol can be found here.

The Model Context Protocol was recently released to standardise integration between generative AI applications and data sources, but it currently introduces significant security vulnerabilities for users and developers. To address these risks, the authors developed McpSafetyScanner, an agentic tool designed to proactively audit MCP servers for malicious code execution, remote access, and credential theft.

"We show that the current MCP design carries a wide range of security risks for end-users."

The generative AI landscape is currently fragmented, with numerous custom APIs for tasks like retrieval-augmented generation, leading to significant developer overhead and ad-hoc solutions. To simplify this, Anthropic introduced the Model Context Protocol (MCP) as an open standard to connect large language models with external tools and resources. MCP defines a clear schema for client-server requests, allowing developers to integrate open-source projects quickly through a centralised codebase. Since its debut, the protocol has seen rapid adoption by industry leaders, including OpenAI, Microsoft, and Slack. However, the current design allows bad actors to coerce industry-leading LLMs into executing dangerous commands. These attacks include malicious code execution (MCE), remote access control (RAC), and credential theft (CT). The authors argue that relying solely on LLM guardrails is insufficient because these safeguards can often be bypassed by simple prompt changes. Therefore, proactive remediation at the server design level is necessary to ensure the safety of agentic workflows.

The need for standardisation arose because practitioners were forced to build custom interfaces for every new AI component they integrated. By creating a "USB-C port for AI applications," MCP aims to reduce this complexity by standardising how models interact with data. The protocol uses a message schema where servers offer features like resources, prompts, and tools for the model to execute. While this connectivity is powerful, it creates a direct path for models to interact with sensitive system files if not properly restricted. The authors demonstrate that models like Claude 3.7 and Llama-3.3-70B can be manipulated into compromising user systems. This vulnerability is particularly high in shared or communal office settings where direct prompting is possible. To combat this, the research introduces a safety auditing framework called McpSafetyScanner. This tool is intended to help developers identify exploits before they are deployed in production environments.

McpSafetyScanner serves as a critical auditing tool for AI developers who want to secure their MCP-enabled applications before public release. The tool utilises a multi-agent framework to automatically probe the environment for vulnerabilities linked to specific tools, resources, and prompts. Developers simply input their MCP configuration file in JSON format, and the scanner generates a comprehensive security report in less than a minute. The first stage of the process involves a "hacker agent" that pulls features from the server to find potential system exploits. In the second stage, a "security auditor agent" searches external knowledge bases like arXiv and Hacker News for similar vulnerabilities. Finally, a "supervisor agent" consolidates these findings into a report detailing both the risks and the specific remediation required. This allows developers to patch their servers and strengthen system defences against zero-day attacks.

Beyond initial development, the tool can be used by end-users to monitor file access and modifications during LLM-MCP exchanges. For example, if the scanner identifies a risk of unauthorised SSH key manipulation, it provides specific commands like "sudo chmod 600" to secure the system. It also suggests implementing strict access controls to restrict the directories where file-writing functions can operate. By using these remediation, developers can prevent models from being coerced into creating backdoors or stealing sensitive environment variables like API keys. The tool's speed and accuracy make it feasible to include in standard CI/CD pipelines for AI services. This shift from reactive guardrails to proactive server auditing represents a new standard for securing agentic workflows. Ultimately, the use case extends to any organisation deploying agentic AI that requires verifiable security postures for their integrated tools.

"McpSafetyScanner thus allows MCP developers the ability to easily scan their MCP servers for vulnerabilities and release patches."

The authors conclude that while MCP greatly simplifies agentic connectivity, its rapid adoption necessitates a corresponding focus on closing security loopholes that allow remote system access. Future work will involve the active release of McpSafetyScanner to the public to help mitigate zero-day exploits across the AI ecosystem. Additionally, the team plans to partner with the active MCP community to automate safety scanning as a standard step prior to any server deployment. They also intend to continue auditing existing servers to identify and patch further vulnerabilities.

The article can be found here.