MCPs: How to Avoid Security Pitfalls

Hi, thank you for joining. I'm Gil Friedman, field CTO at Backslash Security. Today we're going to talk about MCP security. What should we do before, during, and after we use MCPs? What is MCP? MCP is Model Context Protocol. It's an open standard for connecting LLMs to external tools and data. MCPs connect to our AI assistant. MCPs provide tools, which are all the actions that we can do with the MCPs. These are like our hands and legs.

Why should we care about MCP security? We should care because some of the MCPs can read files, write files, and they have all kind of permissions. Also, they might be exposed to some credentials. Also, they're exposed to some API keys and some files that contain some security context. As they also perform some actions, they can be triggered by our model to do things that we don't want them to do. Let's go over the three stages of MCP lifecycle. Before, during, and after.

Before installing an MCP, we need to search for one. MCPs are listed in all kind of websites. First of all, search for the official vendor where they published MCP. Second, check the repo if it's active, well maintained, and with stars. In addition, some of the AI agents' websites, they recommend about MCPs. Please don't use MCPs from random GitHub repos. Check whether the servers are trusted registries. Don't just copy and paste configuration of MCP and copy and paste it to your environment. On local MCPs that you install them on your environment, you should go over the code to check the code, whether there are security risks. You should check the code for any security risk that might have in these specific MCPs. There are some websites like backslash MCP hub, where you can search for an MCP and it provides you the full security risk for these MCPs. When you download the MCP and now you configure it, and now I need to provide the API key for that MCP, we need to generate the API key. For example, GitHub token. Make sure it's just for a specific repo and read-only, if this is the only thing that you would like the MCP to control and interact with this repo. In most or even all the AI agents, there's very important settings that you should check. This is the auto run mode.

You should set it to ask every time. When you set it to ask every time, the AI agent will ask you every time before it will trigger an MCP to check for your approval. The last thing you want that the tool will run without your review.

Here is a very interesting case study about the postmark MCP incident. In September 2025, that was where the first malicious MCP server was discovered in a while. The attacker published a postmark MCP on npm, which was an almost exact clone of the official postmark MCP. They added one line of code, bcc of all outgoing emails, leading to the silent copying of sensitive information to the attacker's email.

After you install the MCP, it's crucial to review all the tools it provides. Check each tool description and input schema carefully before usage. Disable all unused and suspicious tools to minimize risks. When interacting with the MCP, ensure to provide permission before triggering any actions and remove the MCP entirely from your environment when no longer needed, including API key revocation and cleaning up related files and processes.