[!WARNING]
For trust & safety and security, clients MUST consider tool annotations to be untrusted unless they come from trusted servers.

[!WARNING]
For trust & safety and security, there SHOULD always be a human in the loop* with the ability to deny tool invocations.

Applications SHOULD:

• Provide UI that makes clear which tools are being exposed to the AI model.
• Insert clear visual indicators when tools are invoked.
• Present confirmation prompts to the user for operations, to ensure a human is in the loop.

[!NOTE]
*Human-in-the-Loop (HITL) means that user help monitor and guide automated tasks, like deciding whether to accept tool requests in Cursor.

📃 Papers

• (2025-08) Systematic Analysis of MCP Security
• (2025-05) Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol Ecosystem
• (2025-05) Enterprise-Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies
• (2025-04) Simplified and Secure MCP Gateways for Enterprise AI Integration by Ivo Brett
• (2025-04) MCP Guardian: A Security-First Layer for Safeguarding MCP-Based AI System by Sonu Kumar, Anubhav Girdhar, Ritesh Patil, Divyansh Tripathi
• (2025-04) MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits by Brandon Radosevich, John Halloran
• (2025-03) Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions by Xinyi Hou, Yanjie Zhao, Shenao Wang, Haoyu Wang

📺 Videos

• (13.06.2025) MCP Auth: The Future of AI Agent Security - by Arcade.dev
• (17.05.2025) A2A - MCP SECURITY Threats: Protect your AI Agents by Discover AI
• (06.05.2025) Making MCP Production Ready – Building MCP for Enterprise - by Arcade.dev
• (11.04.2025) This MCP Server Trick Can Steal Your API Keys by Prompt Engineering
• (09.04.2025) MCP Servers are Security Nightmares... by Better Stack
• (03.04.2025) MCP Security: Vetting Servers to Mitigate Tool Poisoning Attacks by JeredBlue
• (03.04.2025) Model Context Protocol (MCP) Security Concerns by Cory Wolff
• (02.06.2025) Agentic Access: OAuth Isn't Enough | Zero Trust for AI Agents w/ Nick Taylor (Pomerium + MCP)

📕 Articles, X threads and Blog Posts

• (14.08.2025) MCP Security Best Practices: How to Prevent Risks and Threats by Dmitriy Redkin
• (08.08.2025) we hijacked cursor via jira mcp by submitting a support ticket by @mbrg0
• (28.07.2025) We built the security layer MCP always needed by Cliff Smith
• (24.07.2025) Security Advisory: Anthropic's Slack MCP Server Vulnerable to Data Exfiltration by WUNDERWUZZI
• (11.07.2025) Securing Model Context Protocol (MCP) with Teleport and AWS
• (10.07.2025) Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads by Ravie Lakshmanan
• (06.07.2025) Combine the Supabase MCP with another MCP that provides exposure to untrusted tokens and a way to send data back out again by Simon Willison
• (05.07.2025) Neon official remote MCP exploited!
• (19.06.2025) Cato CTRL Threat Research: PoC Attack Targeting Atlassian's Model Context Protocol (MCP) Introduces New "Living Off AI" Risk
• (18.06.2025) Asana Discloses Data Exposure Bug in MCP Server by Greg Pollock
• (30.05.2025) Poison everywhere: No output from your MCP server is safe by Simcha Kosman
• (26.05.2025) GitHub MCP Exploited: Accessing private repositories via MCP by invariantlabs.ai
• (20.05.2025) Securing the Model Context Protocol: Building a safer agentic future on Windows
• (16.05.2025) MCP Security in 2025
• (02.05.2025) Security Best Practices by Model Context Protocol
• (30.04.2025) Insecure credential storage plagues MCP by Keith Hoodlet
• (29.04.2025) Deceiving users with ANSI terminal codes in MCP by Keith Hoodlet
• (29.04.2025) Building Own MCP - Augmented LLM for Threat Hunting by Eito Tamura
• (23.04.2025) How MCP servers can steal your conversation history by Keith Hoodlet
• (21.04.2025) Jumping the line: How MCP servers can attack you before you ever use them
• (19.04.2025) OAuth's Role in MCP Security by Gunnar Peterson
• (17.04.2025) Research Briefing: MCP Security by Rami McCarthy
• (17.04.2025) MCP Not Safe - Reasons and Ideas by Phala Network
• (15.04.2025) MCP can be a security nightmare for building AI Agents by Rakesh Gohel
• (15.04.2025) Model Context Protocol (MCP) aka Multiple Cybersecurity Perils by Chris Martorella
• (14.04.2025) Model Context Protocol (MCP) Security by Evren
• (14.04.2025) Security Analysis: Potential AI Agent Hijacking via MCP and A2A Protocol Insights by Nicky
• (14.04.2025) MCP Security Checklist: A Security Guide for the AI Tool Ecosystem by slowmist
• (13.04.2025) Everything Wrong with MCP by Shrivu Shankar
• (11.04.2025) Diving Into the MCP Authorization Specification by Allen Zhou
• (11.04.2025) Vulnerability Discovered in Base-MCP: Hackers Can Redirect Transactions on Cursor AI and Anthropic Claude by @jlwhoo7
• (09.04.2025) Here's an example of remote MCP malware that steals your .env secrets in @cursor_ai by Maciej Pulikowski