Skip to content
You are offline. Some features may be unavailable.
Checklist

Before connecting an agent, check the boring things.

Most MCP risk is not mysterious. It is overbroad tools, unclear auth, stale code, exposed secrets, and weak operating boundaries.

  • IdentityKnow who publishes the server and where the source or package comes from.
  • TransportPrefer explicit auth boundaries and avoid exposing local-only assumptions to the public web.
  • ToolsTreat file, shell, browser, network, wallet, credential, and database tools as high risk.
  • SecretsConfirm tokens are scoped, stored outside prompts, and never echoed in tool output.
  • Change controlCheck release age, dependency posture, and whether behavior changed since last review.