MCP Server Security: What to Check Before You Connect One

Connecting an MCP server hands your agent new powers — and new ways to leak your keys. The checklist to run before you plug a Model Context Protocol server into an agent.

Model Context Protocol (MCP) servers are how modern AI agents get superpowers — file access, database queries, third-party APIs, all through a standard plug. They are also a fresh way to hand your credentials to code you did not write. Here is what to check before you connect one.

Why MCP servers deserve a second look

An MCP server is, by design, something your agent trusts and calls. When you connect one, you are extending your agent's reach to whatever that server can do — and often handing it credentials to act on your behalf. Two risks ride along:

The server itself. You are running someone else's code in your trust boundary. A malicious or sloppy server can exfiltrate anything it is given.
The credentials you feed it. If you paste a raw API key into an MCP server's config, that key now lives in another program's hands — a fresh copy to leak.

This is the same core problem as handing keys to any agent, just one layer out. The fix is the same too: never give it the raw secret if you can avoid it.

The pre-connect checklist

Before you wire an MCP server into an agent, run these:

Know who wrote it. Official first-party server, reputable open-source project, or a random repo? The less you can verify, the less you should trust it with.
Read what it requests. What scopes, files, or credentials does it ask for? A server that wants broad access for a narrow job is a red flag.
Scope the credential you give it. Never feed an MCP server a god-key. Give it a credential limited to exactly the capability it needs — and nothing else. (See how to store API keys for AI agents safely.)
Prefer a brokered credential over a raw one. If the server can route through a credential broker, it never holds your real key — so a compromised server leaks something you can revoke in one click.
Watch the first runs. New server, new behavior. Watch the audit log for outbound calls you did not expect — the early signal of a prompt injection or a misbehaving tool.
Run it least-privilege and revocable. Assume any server could be compromised someday, and make sure that day is a log entry, not a disaster.

The pattern that makes MCP safe to experiment with

The reason MCP is exciting is that you will want to try lots of servers. That is exactly why you should not be pasting raw keys into each one — every experiment becomes a new copy of your secret in unknown code.

A credential broker fixes this cleanly: connect your real accounts once, and hand each MCP server (and each agent) its own scoped, revocable credential. Try as many servers as you like; none of them ever sees your real key, and any one can be cut instantly.

Agent Master Key is built for this experiment-freely posture: your real keys stay on your Mac, every agent and tool gets a scoped Master Key instead of the raw secret, and revoking any of them is one click. Plug in new MCP servers without multiplying your blast radius. (New to brokers? Start with what is a credential broker for AI agents.)

Bottom line

MCP servers are worth using — they are what make agents genuinely capable. Just treat each one like a new agent in your trust boundary: verify the source, scope what you give it, prefer a brokered credential over a raw key, and keep a kill switch. Do that and you can plug in freely instead of nervously.

Not sure how your MCP and agent stack holds up? The $99 AI Agent Security & Setup Audit reviews exactly that and hands you the fixes.