upvote

points

by mrgaro7 hours ago |
comments
upvoteby kylling19 minutes ago|
next
[-]
It is crazy how the preferred way or securing AI are vibe coded MCP servers which at the same time do access control, credentials handling and HTTP server/client boilerplate. Want to use a new API: just vibe code a new MCP you won't fully review. It is hardly better than yoloing. The security critical parts needs to leave MCP and be integrated with, or be in front of, the API in a way humans will understand and review.
reply
upvoteby zingar6 hours ago|
prev|
next
[-]
Can you not just install/ restrict the available CLIs in the same way you do with MCPs?

Or what else am I missing about why MCP is more secure than a CLI?

reply
upvoteby rubslopes5 hours ago|
parent|
next
[-]
MCP allows you to easily separate API requests from their access tokens, so that the LLM only has access to the requests part. Giving an LLM CLI access removes all boundaries, anything goes.

EDIT: to add an example: I have a personal claw agent that I only use CLI, I don't care. But I'm also building an agent inside a company product, and there we use MCP all the way.

reply
upvoteby octoberfranklin22 minutes ago|
parent|
[-]
You can easily do this with simple Unix `chmod x-rw` on a wrapper that makes HTTP requests, adding the access token as it does.
reply
upvoteby mrgaro4 hours ago|
parent|
prev|
next
[-]
Another examole which is trivial with MCP but hard with cli binaries: blocking certain commands, such as write operations from the agent. With MCP your client can easily have a blocklist for commands, but with cli you would need to code custom logic for each cli separately.
reply
upvoteby dropofwill2 hours ago|
parent|
next
[-]
Just use scopes in the API key the agent uses? If you’re exposing something publicly that should be a requirement anyways.

That’s how I use gh, aws, etc. No need to modify any of the code in the cli, they’re just wrappers.

reply
upvoteby mikojan2 hours ago|
parent|
[-]
I want the harness to use read freely but require confirmation for write.
reply
upvoteby octoberfranklin20 minutes ago|
parent|
prev|
next
[-]
Access control is the operating system's job, and modern OSes already provide plenty of great tools for doing that.

Just use the existing sandboxing infrastructure like bubblewrap, seccomp, etc. I have way more faith in that than in something than some regex-based blocklist.

reply
upvoteby CamperBob252 minutes ago|
parent|
prev|
[-]
With MCP your client can easily have a blocklist for commands, but with cli you would need to code custom logic for each cli separately.

Nah. Just don't let your model do anything potentially destructive until three or four other models have vetted the proposed action.

Filtering individual commands can never provide more than the shallowest semblance of security. If a smart model is hellbent on deleting your production database, it will write its own Python program to do it if the usual commands are blocked.

reply
upvoteby zaphirplane5 hours ago|
parent|
prev|
next
[-]
How do you ensure the cli can use the auth without knowing how to read it ? It’s potentially a bearer Token
reply
upvoteby wolttam5 hours ago|
parent|
prev|
[-]
[dead]
reply
upvoteby twoodfin5 hours ago|
prev|
next
[-]
I think that’s exactly right: MCP provides a capability security model for agents.
reply
upvoteby v3ss0n5 hours ago|
prev|
next
[-]
How in the world MCP is going to be more secure? It introduce a big surface layers for injection attacks and supply chain attacks..
reply
upvoteby PaulHoule5 hours ago|
parent|
[-]
To be devil’s advocate: if you are just running commands with bash or power shell or the like there is no protection. You might have some rules that ban

rm -rf ~

but sandboxing in general is not an easy problem.

reply
upvoteby skydhash2 hours ago|
parent|
next
[-]
It is. The issue is all the weird constraints that usually come up with it. Like I want to use my favorite code editor, I want easy copy and paste, or I can’t bother setting up a separate user account on my computer.

On unix, you can easily create a new user account, switch to it (or ssh or setup vnc), and run the tool there. If users are enough for servers on the internet, they can be for your workstation (unless there’s something like copyfail, but you can make do with a vm then).

reply
upvoteby cindyllm5 hours ago|
parent|
prev|
[-]
[dead]
reply
upvoteby joka88xj4 hours ago|
prev|
[-]
[dead]
reply