Swiftorial Logo
Home
Swift Lessons
AI Tools
Learn More
Career
Resources

2. How does MCP improve security when LLMs call external tools?

One of the biggest challenges with tool-using LLMs is making sure they don’t access sensitive resources or perform unintended actions. Model Context Protocol (MCP) addresses this by introducing a clean, auditable boundary between the model and external capabilities.

🔐 Key Security Features of MCP:

  • Explicit Requests: The LLM must construct a structured request for any tool usage — no tool can be used implicitly.
  • Scoped Permissions: The MCP client controls which servers are exposed and what scopes they offer (e.g., read-only vs read-write).
  • Auditing and Logging: Every tool invocation is logged — inputs, outputs, timestamps — enabling accountability and traceability.
  • Isolation: Servers run in separate processes (or containers) and are minimal by design — reducing attack surface.
  • User Consent: In client tools like Claude Desktop, a user can explicitly approve each tool’s access the first time it is used.

🧪 Example: Protecting Filesystem Access

Imagine an LLM that needs to read files from the user’s local computer. Here's how MCP adds protection:

// filesystem-server.ts
import express from 'express';
import fs from 'fs/promises';

const app = express();
app.use(express.json());

app.post('/invoke', async (req, res) => {
  const { path } = req.body.input;

  if (!path.startsWith('/safe-area/')) {
    return res.status(403).json({ error: 'Access denied: unsafe path' });
  }

  try {
    const contents = await fs.readFile(path, 'utf8');
    res.json({ output: { contents } });
  } catch (err) {
    res.status(500).json({ error: 'Failed to read file' });
  }
});

app.listen(4000, () => console.log('MCP Filesystem Server running'));

✅ What This Achieves:

  • Path Filtering: Access is restricted to a whitelist directory (/safe-area/).
  • Server-Side Control: The logic lives on the server, not the LLM — making it tamper-resistant.
  • No Arbitrary Execution: The LLM cannot read from or write to arbitrary files unless explicitly permitted.
  • Fail-Safe Defaults: If anything goes wrong, the server denies access or returns a controlled error.

🔍 Developer Insights:

  • Build your MCP servers with the assumption that the LLM may try unexpected inputs.
  • Always validate inputs and enforce server-side checks.
  • Use the MCP client layer to require user opt-in before unlocking sensitive capabilities.

🛡️ Ideal Scenarios for This:

  • Corporate environments where LLMs interact with sensitive HR, finance, or internal APIs.
  • Desktops where users want copilots but don’t want unrestricted background access.
  • Building plugin ecosystems that respect tenant boundaries or multi-user sandboxing.