Large Language Models
Mike Slinn

Model Context Protocol (MCP)

Published 2025-09-07. Last modified 2025-09-13.
Time to read: 6 minutes.

This page is part of the llm collection.

The Model Context Protocol (MCP) is an open standard that helps AI systems connect to external data and tools.

LLM applications often need outside data. They might need to query databases, fetch documents, or use web APIs. MCP acts as a crucial middle layer. It lets models interact with these external resources smoothly, without needing manual steps.
 – Analytics Vidhya: The Role of MCP in LLM-Based Applications

Anthropic created the MCP. as an open-source framework in November 2024. Within 6 months MCP had become commonly used technology. Its purpose is to standardize the way artificial intelligence (AI) systems like large language models (LLMs) integrate and share data with external tools, systems, and data sources.

Contrary to the hype of today (2025-09-13):

  1. MCP is not easy to work with
  2. Most MCP implementations are quite insecure

Although his technology is evolving very rapidly, I fear that the type of security measures that have been introduced into the architecture increase complexity significantly, and in turn increases fragility and reduces the effectiveness of the security measures.

MCP Components

Some important components of the MCP architecture include hosts, clients, and servers.

Enhanced from: What is MCP? Model Context Protocol Explained, by Workato
Enhanced from: What is MCP? Model Context Protocol Explained, by Workato

MCP Hosts

An MCP host is the user-facing application that coordinates and manages one or more internal MCP clients on behalf of the user. Hosts initiate connections to MCP servers and orchestrate the overall flow between user requests, LLM processing, and external tools. MCP hosts include:

MCP Clients

MCP clients send requests to MCP servers and return the result to the MCP host. Clients reside within the host application and manage communication with a specific MCP server. They provide servers with access to files, database connections, provide API integrations, and other contextual services. MCP clients can access local services or remote servers.

For Ollama:

MCP Servers

MCP servers are external programs or services that expose capabilities such as tools, resources, and prompts via the MCP protocol. MCP servers connect LLMs to the outside world, dramatically expanding what LLMs can do for users.

Claude was the first LLM to get an MCP server because Anthropic, the developer of Claude, also initiated MCP. Not to be outdone, OpenAI also offer MCP support for ChatGPT:

Many MCP servers are built using Node.js, for example GitHub Copilot and Azure DevOps MCP servers, and those distributed as npm packages. This aligns well with Visual Studio Code’s ecosystem. Note that Cursor is just a customized version of Visual Studio Code.

For example, the File System MCP server and others mentioned in guides for setting up MCP servers in Visual Studio Code often use Node.js for operations like file management or API interactions. The npx command, which requires Node.js, is frequently used to run these servers. (Node Package Execute) is used to run a command from a local or remote npm package. I wrote about NPM in Node.js, NVM, NPM and Yarn.

If the package containing the command to be executed is not available locally, it is automatically downloaded. npx is bundled with npm versions 5.2.0 and higher.

Before configuring MCP servers, ensure you have Node.js installed on your system with npx available for package execution. Most MCP servers require Node.js runtime environment for proper functionality.

A better approach, taken by some MCP servers, is to be bundled as Visual Studio Code extensions, where they run in the Extension Host process, bypassing the need for Node.js. The Extension Host is a Node.js process that runs extension code. Support for MCP servers running as Extension Host processes started with Visual Studio Code version v1.101 (May 2025).

Warning: npm and npx are security nightmares. PyPi is no better, and I do not believe uvx improves the situation. Just be aware that the glue used by MCP servers to interact with LLMs is an unconscionable security hazard. If you have sensitive information, run everything locally, on an air-gapped machine. Yes, it is that bad.

Erroneous Information

modelcontextprotocol.io was the only information source that did not have glaring factual errors that I found while researching this article. Even the most visible documentation from the originators of the technology had fundamental factual errors.

Do not trust.
But verify.
 – Mike Slinn, after the Russian proverb made famous by Ronald Reagan

From OpenAI and Google

During the week I was writing this article (early September 2025), ChatGPT (GPT5), Google Gemini, and Google Search all confidently described Cursor as an MCP client and cited incorrect reasoning.

I can see why the confusion happened: the List of Claude MCP Clients contains these same mistakes. Ignore that web page. I see many websites confusing the MCP host and MCP client roles, even many websites that should be expected to be authoritative.

LLMs cannot be trusted

Cursor is actually an MCP host that contains many MCP clients.

Grok did not make that mistake, but sometimes it expanded MCP to Microsoft Code Push, which was erroneous.

From Software Documentation

Visual Studio Code documentation often is unclear about whether stated facts apply to a workspace or a project. The capabilities of Visual Studio Code have changed in recent years. As a result, many people use the terms project and workspace interchangeably. Loose definitions result in vagueness, which is often confusing and not are actionalble.

Authoritative documentation
cannot be trusted

Quotes are often used in an article when the author wants to refer to what someone else said, without accepting the veracity of the other party’s statements. I made no attempt to correct any misuse of Visual Studio Code terms “project” and “workspace”.

Security

MCP is insecure by default

Not only are the Python and Node.js ecosystems security nightmares, but MCP implementations are all too often unacknowledged security risks themselves.

This post covers the biggest risks (with real examples) and how to think about MCP securely:

  1. Tool Description Injection is real. Malicious tool descriptions can silently inject harmful prompts. Your agent can be tricked before it even starts executing.
  2. The authentication situation is not great. OAuth is often skipped or poorly implemented. Many public MCP servers don't verify requests or protect user sessions. Some even accept unauthenticated calls.
  3. Supply Chain Risk is underestimated. Most people install MCP packages (npm, Docker) without realising how easily they can be tampered with. One poisoned update can lead to dangerous results.
  4. Real-world security failures have already happened. Like hundreds of exposed servers on 0.0.0.0 with command-execution flaws, the Supabase MCP Lethal Trifecta Attack, Asana Data leak, MCP-remote Command Injection, accessing private repositories via GitHub MCP.
  5. The latest spec introduces security best practices like no token passthrough and enforced user consent. But most implementations simply ignore them.
 – MCP Vulnerabilities Every Developer Should Know

See also:

  1. The MCP Authorization Spec Is... a Mess for Enterprise
  2. MCP Security Best Practices
  3. Best Current Practice for OAuth 2.0 Security

Every MCP connection is a potential attack surface

Resources

  1. My article: Visual Studio Code Extension Host MCP Servers
  2. My article: Controlling Ableton Live From LLMs
  3. Book: Model Context Protocol: Advanced AI Agents for Beginners by Mehul Gupta and Niladri Sen.
  4. r/mcp
  5. MCP Course: Key Concepts and Terminology
  6. Build and deploy Remote Model Context Protocol (MCP) servers to Cloudflare
  7. https://mcpservers.org is a collection of MCP clients and servers. There were 1968 MCP servers listed on 2025-09-06, and several dozen clients listed. Surprisingly, the website has no search capability.
  8. MCPJam Inspector, an MCP server testing tool.
  9. MCPHub: The Unified Hub for Model Context Protocol (MCP) Servers
  10. OpenAI Connectors and MCP Servers
    This is a great resource: Using MCP with OpenAI & MCP Servers
  11. Grok MCP Plugin provides chat, image understanding and function calling. Not packaged; you must clone and build the project.
  12. Awesome Remote MCP Servers
  13. Codename Goose, an open source, extensible AI agent for automating engineering tasks.
  14. Flowise for visually building AI agents.
  15. Stop Converting OpenAPI Specs Into MCP Servers
  16. MCPJungle
  17. MCP Personas
  18. test-mcp, an Automated testing tool for MCP servers and agents.
  19. Omnimesh AI Gateway, an API gateway that provides authentication, logging, rate limiting, server discovery, and multi-protocol transport support.
  20. mcp-server-dump, a command-line tool to extract and document MCP server capabilities, tools, resources, and prompts in various formats.
  21. Dexto, an orchestration Layer for AI agents. Connect your models, tools, and data into a smart interface to create agentic apps.
  22. Introducing gpt-realtime and Realtime API updates for production voice agents
Front page
Expert witness USA
19 articles on LLMs
Studio technology USA
Original music by Mike Slinn
Windows Subsystem for Linux topics
General topics
Ruby language USA
Jekyll-generated websites USA
Git and libgit2 USA
Django-powered e-commerce USA
Mainframe image; Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License by PekoeBlaze
World Peace Musical Collective
* indicates a required field.

Please select the following to receive Mike Slinn’s newsletter:

You can unsubscribe at any time by clicking the link in the footer of emails.

Mike Slinn uses Mailchimp as his marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp’s privacy practices.