The MCP Explosion Is an Attack Surface, Not a Feature List
Prepackaged MCP solutions make agents powerful and compartmentalization basically fictional.
MCP security concerns materialized exactly as described. The attack surface expanded with adoption and nobody slowed down to notice. The install-a-bundle-and-it-reads-your-everything pattern is now standard.
The thing nobody's saying loudly enough is that the current land rush to ship prepackaged MCP solutions isn't just a distribution play — it's an indirect attack vector that scales with adoption, and it's scaling fast.
Before MCP, you had to at least think about what your agent could touch. Now you install a bundle and it can read your calendar, your email, your filesystem, your browser history, your Notion, your Slack — all in an afternoon, with a README that says "just works." The compartmentalization model most people have in their heads for personal data simply doesn't survive contact with this architecture.
And that's before you think about what an agentic process actually does with personal information — not just stores or transmits it in the flat, dumb way malware does, but reasons about it. Reasons about patterns. Understands context. Can identify leverage.
Blackmail is the blunt example but it's the right one to say out loud, because it forces the question people are quietly avoiding: when the process that has access to everything you've ever written can be manipulated by a malicious server it connected to two tool-calls ago, the threat model isn't "data exfiltration." It's something closer to a very patient, very well-informed adversary who already knows everything.
Compartmentalization was hard when the attack surface was files and ports. It's a different problem entirely when the attack surface is context.
Counterpoints
Push back, extend the argument, or sharpen it. New counterpoints go through review before they show up here.
No approved counterpoints yet.