Back to Home

Security of AI Agents: Criticism of MCP and Terminal in Development

The article analyzes critical shortcomings of modern AI agents built on MCP and shell wrappers. Alternative approaches to security are proposed through specialized tools, interpreters, and sandbox isolation for creating reliable products.

Crisis in AI Agent Development: How to Avoid Security Errors
Advertisement 728x90

AI Agent Security Crisis: Why Current Approaches Are a Dead End

Modern AI agents built on off-the-shelf protocols like MCP and shell environments reveal fundamental security and architectural flaws. Instead of robust products, the industry churns out half-baked prototypes unfit for everyday users. The core issues? False security from guardrails, uncontrolled MCP servers, and risky terminal dependency.

Architectural Flaws in the Status Quo

Today's agent development feels like building the Maginot Line: expensive defenses that attackers easily bypass. Claude Code, popular among devs, exemplifies a tool unsafe for non-technical users. Its git-repo-as-safety-net paradigm doesn't scale to mainstream audiences. Risks include deleting critical files, data leaks, and runaway command execution.

Key architectural shortcomings:

Google AdInline article slot
  • Terminal as Interface: LLMs excel at text, but shells are overpowered and dangerous. Blocking commands like rm demands complex infrastructure (AST parsing, syscall filtering), which doesn't scale to thousands of commands and combos.
  • MCP Protocol: Provides interaction contracts but skips authentication, opening tool poisoning attack (TPA) vectors. A rogue MCP server can tweak tool descriptions, tricking the LLM into leaking keys or passwords undetected.
  • Guardrails as Smoke and Mirrors: Filtering toxicity, prompt injection, or PII with regexes and classifiers is like using falling glass panes as a game timer—clunky, ineffective, and full of gaps.

Why MCP Is a Dead End for Desktop Agents

MCP introduces five critical issues for consumer products:

  • Security: No action authentication lets LLMs run ops without user consent. Tool poisoning exposes hidden attacks.
  • Performance: Each MCP server spins up a separate process. Agents can't control how many users launch, tanking machine performance.
  • Loss of Control: Devs can't manage external MCP servers, add error handling, or access logs—killing transparency.
  • Tool Collisions: Overlapping MCPs create duplicate tool names, leading to unpredictable behavior.
  • Cost Explosion: Token waste on validation, bloated codebases, and memory leaks.

A Better Way: From General-Purpose Agents to Specialized Tools

Ditch 'do-it-all' agents with blanket MCP access. Build specialized tools (functions) with isolated contexts to shrink attack surfaces and boost control.

Core principles of the new architecture:

Google AdInline article slot
  • Interpreter Over Terminal: A custom interpreter with a limited command set strikes the best security-functionality balance. Tools like ls and rm can have tiered confirmations (callback for rm, none for ls).
  • Sandbox the Interpreter, Not the Agent: Isolate tool execution environments, not the whole agent. Run code safely without gutting features.
  • Developer Transparency: Full logs, call traces, and debugging—no black boxes like MCP servers.
  • End-to-End Tests: Prompts and models evolve, but tests for edge cases (e.g., 'don't delete system files') stay rock-solid.

Key Takeaways

  • MCP- and terminal-based AI agents aren't safe for mass-market release.
  • Regex guardrails create a false sense of security and are easily bypassed.
  • Specialized, isolated tools beat universal MCP servers.
  • Bake security into interpreters and sandboxes, not bolt-on filters.
  • Devs need full visibility and control over tool execution for debugging and audits.

Building a Secure Agent: Practical Steps

  • Ditch the Shell: Swap terminals for a limited-API interpreter. Define safe commands as tools with clear contracts.
  • Sandbox Isolation: Use containers or VMs for the interpreter. Blocks unauthorized file or network access.
  • End-to-End Testing: Build tests for high-risk scenarios (user data handling, destructive ops). Automate in CI/CD.
  • Logging and Tracing: Log all tool calls, prompts, and LLM responses for audits and incident debugging.
  • Tool Specialization: Skip external MCPs—build task-specific tools (files, APIs, databases) to avoid collisions and leaks.

The Golden Rule of Agent Development

Build agents safe to ship. That means:

  • Reliability and security matching traditional apps.
  • No Docker installs, terminal tinkering, or MCP setup for users.
  • Token efficiency—simple tasks shouldn't cost a fortune.
  • Transparent ops for devs, with quick incident response.

Only this path escapes dev-only niches for global products.

— Editorial Team

Google AdInline article slot
Advertisement 728x90

Read Next