Everything wrong with MCP

A nice, comprehensive yet accessible blog post about it can be found here[1], got submitted earlier[2] but didn't gain traction.

[1]: https://aaronparecki.com/2025/04/03/15/oauth-for-model-conte...

[2]: https://news.ycombinator.com/item?id=43620496

Impressive to see this level of cross-org coordination on something that appears to be maturing at pace (compared to other consortium-style specs/protocol I've seen attempted)

Congrats to everyone.

Awesome! Thanks for your work on this.

This reminds me of something Adam Smith said in The Wealth of Nations:

"People of the same trade seldom meet together, even for merriment and diversion, but the conversation ends in a conspiracy against the public, or in some contrivance to raise prices."

Ymmv, but I cannot image that this "innovation" will result in a better outcome for the general public.

Yeah. That's another in a long line of MCP articles and blogposts that's been coming up over the past few weeks, that can be summarized as "breaking news: this knife is sharp and can cut someone if you swing it at people, it can cut you if you hold it the wrong way, and is not a toy suitable for small children".

Well, yes. A knife cuts things, it's literally its only job. It will cut whatever you swing it at, including people and things you didn't intend to - that's the nature of a general-purpose cutting tool, as opposed to e.g. safety razor or plastic scissors for small children, which are much safer, but can only cut few very specific things.

Now, I get it, young developers don't know that knives and remote access to code execution on a local system are both sharp tools and need to be kept out of reach of small children. But it's one thing to remind people that the tool needs to be handled with care; it's another to blame it on the tool design.

Prompt injection is a consequence of the nature of LLMs, you can't eliminate it without degrading capabilities of the model. No, "in-band signaling" isn't the problem - "control vs. data" separation is not a thing in nature, it's designed into systems, and what makes LLMs useful and general is that they don't have it. Much like people, by the way. Remote MCPs as a Service are a bad idea, but that's not the fault of the protocol - it's the problem of giving power to third parties you don't trust. And so on.

There is technical and process security to be added, but that's mostly around MCP, not in it.

Some of the other issues are less important than others, but even if you accept “you have to take responsibility for yourself”, let me quote the article:

> As mentioned in my multi-agent systems post, LLM-reliability often negatively correlates with the amount of instructional context it’s provided. This is in stark contrast to most users, who (maybe deceived by AI hype marketing) believe that the answer to most of their problems will be solved by providing more data and integrations. I expect that as the servers get bigger (i.e. more tools) and users integrate more of them, an assistants performance will degrade all while increasing the cost of every single request. Applications may force the user to pick some subset of the total set of integrated tools to get around this.

I will rephrase it in stronger terms.

MCP does not scale.

It cannot scale beyond a certain threshold.

It is Impossible to add an unlimited number of tools to your agents context without negatively impacting the capability of your agent.

This is a fundamental limitation with the entire concept of MCP and needs addressing far more than auth problems, imo.

You will see posts like “MCP used to be good but now…” as people experience the effects of having many MCP servers enabled.

They interfere with each other.

This is fundamentally and utterly different from installing a package in any normal package system, where not interfering is a fundamental property of package management in general.

Thats the problem with MCP.

As an idea it is different to what people trivially expect from it.

> Rate limit and monitor your own usage. You should anyway. It's not the road's job to make you follow the speed limit.

A better metaphor is the car, not the road. It is legally required to accurately tell you your speed and require deliberate control to increase it.

Even if you stick to a road; whoever made the road is required to research and clearly post speed limits.

why would anyone accept to expose sensitive data so easily with MCP ? also MCP does not make AI agents more reliable, it just gives them access to more tools, which can decrease reliability in some cases:https://medium.com/thoughts-on-machine-learning/mcp-is-mostl...

Totally agree, hopefully it's clear closer to the end that I don't actually expect MCP to solve and be responsible for a lot of this. More so MCP creates a lot of surface area for these issues that app developers and users should be aware of.

> Rate limit and monitor your own usage. You should anyway. It's not the road's job to make you follow the speed limit.

In some sense, urban planners do design roads to make you follow the speed limit. https://en.wikipedia.org/wiki/Traffic_calming:

“Traffic calming uses physical design and other measures to improve safety for motorists, car drivers, pedestrians and cyclists. It has become a tool to combat speeding and other unsafe behaviours of drivers”

> It's not the road's job to make you follow the speed limit.

Good road design makes it impossible to speed.

I think the author's point is that the architecture of MCP is fundamentally extremely high trust between not only your agent software and the integrations, but the (n choose 2) relationships between all of them. We're doing the LLM equivalent of loading code directly into our address space and executing it. This isn't a bad thing, dlopen is incredibly powerful with this power, but the problem being solved with MCP just isn't that level of trust.

The real level of trust is on the order OAuth flows where the data provider has a gun sighted on every integration. Unless something about this protocol and it's implementations change I expect every MCP server to start doing side-channel verification like getting an email "hey your LLM is asking to do thing, click the link to approve." Where in this future it severely inhibits the usefulness of agents in the same vein as Apple's "click the notification to run this automation."

Previous thoughts on MCP, which I won't rehash here:

- "MCP is a schema, not a protocol" – https://x.com/PetrusTheron/status/1897908595720688111

- "PDDL is way more interesting than MCP" – https://x.com/PetrusTheron/status/1897911660448252049

- "The more I learn about MCP, the less I like it" https://x.com/PetrusTheron/status/1900795806678233141

- "Upon further reflection, MCP should not exist" https://x.com/PetrusTheron/status/1897760788116652065

- "in every new language, framework or paradigm, there is a guaranteed way to become famous in that community" – https://x.com/PetrusTheron/status/1897147862716457175

I don't know if it's taboo to link to twitter, but I ain't gonna copypasta all that.

> 1. it does not enable AI agents to functionally compose tools.

Is there something about the OpenAI tool calling spec that prevents this?

There are plenty of things out there that don’t use OpenAPI. In fact most things aren’t.

Even if the universe was all OpenAPI, you’d still need a lower level protocol to define exactly how the LLM reaches out of the box and makes the OpenAPI call in the first place. That is what MCP does. It’s the protocol for calling tools.

It’s not perfect but it’s a start.

I mean you don’t need gRPC. You can just treat all tool calls as SSEs themselves and you have streaming. HTTP is pretty robust.

Isn't this basically a lot of hand waving that ends up being isomorphic to SQL injection?

Thats what we're talking about? A bunch of systems cobbled together where one could SQL inject at any point and there's basically zero observability?

MCP allows LLM clients you don’t control—like Claude, ChatGPT, Cursor, or VSCode—to interact with your API. Without it, you’d need to build your own custom client using the LLM API, which is far more expensive than just using existing clients like ChatGPT or Claude with a $20 subscription and teaching them how to use your tools.

I built an MCP server that connects to my FM hardware synthesizer via USB and handles sound design for me: https://github.com/zerubeus/elektron-mcp.

> why we not just use API

Did you meant to write "a HTTP API"?

I asked myself this question before playing with it a bit. And now I have a slightly better understanding, I think the main reason was created as a way to give access of your local resources (files, envvars, network access...) to your LLM. So it was designed to be something you run locally and the LLM has access.

But there is nothing preventing you making an HTTP call from a MCP server. In fact, we already have some proxy servers for this exact use-case[0][1].

[0] - https://github.com/sparfenyuk/mcp-proxy

[1] - https://github.com/adamwattis/mcp-proxy-server

I'm not sure I get it too. I get the idea of a standard api to connect one or more external resources providers to an llm (each exposing tools + state). Then I need one single standard client-side connector to allow the llm to talk to those external resources- basically something to take care of the network calls or other forms of i/o in my local (llm-side) environment. Is that it?

I have an API, but I built an MCP around my API that makes it easier for something like Claude to use — normally something that's quite tough to do (giving special tools to Claude).

Because you need mainly a bridge between the Function calling schema defined that you expose to the AI model so you can leverage them. The model need a gateway as API can't be used directly.

MCP core power is the TOOLS and tools need to translate to function calls and that's mainly what MCP do under the hood. Your tool can be an API, but you need this translation layer function call ==> Tool and MCP sits in the middle

https://platform.openai.com/docs/guides/function-calling

I played around with MCP this weekend and I agree. I just want to get a users X and then send X to my endpoint so I can do something with it. I don't need any higher level abstraction than that.

If you are a tool provider, you need a standard protocol for the AI agent frontends to be able to connect to your tool.

I think it's fine if you only need a standalone API or know exactly which APIs to call. But when users ask questions or you're unsure which APIs to use, MCP can solve this issue—and it can process requests based on your previous messages.

Any interpreter can run malicious code. Mostly the guidance is: don't run malicious code if you don't want it to run. The problem isn't the interpreter/tool but the entity that's using it. Because that's the thing that you should be (mis)-trusting.

The issue is two fold:

- models aren't quite trustworthy yet.

- people put a lot of trust in them anyway.

This friction always exist with security. It's not a technical problem that can or should be solved on the MCP side.

Part of the solution is indeed going to come from containerization. Give MCP agents access to what they need but not more. And part of it is going to come from some common sense and the tool UX providing better transparency into what is happening. Some of the better examples I've seen of Agentic tools work like you outline.

I don't worry too much about the cost. This stuff is getting useful enough that paying a chunk of what normally would go into somebody's salary actually isn't that bad of a deal. And of course cost will come down. My main worry is actually speed. I seem to spend a lot of time waiting for these tools to do their thing. I'd love this stuff to be a bit zippier.

It's April 2025

This is what torpedoed the first AI Assistant push in the late 1990's and early 2000s (see electric elves as an example). Basically we thought that personal travel assistants and open trading platforms would be cool things, but then discovered that content aggregators a) had a business model and b) could offer vertical integration and bulk buys, & discounts to goods providers and consumers, while also policing the platform. So we got Expedia and Ebay.

There is a more fundamental problem as well. Multi-agent systems require the programmer of the agent to influence the state of the agent in order that the agent can act to influence the states of other agents in the system. This is a very hard programming task.

You're arguing against your own straw man. "Imagine, for example if booking.com built an MCP server allowing you to book a hotel room (…) no hiding or limiting data." They're not doing that and they're not interested in that. Yes, they would need a public API for that and people could use it directly. But that's not happening.

MCP makes sense where the API already exists and makes the biggest difference if the API call is just a part of the process, not the only and final action.

Even in the booking example, you could push much more of your context into the process and integrate other tools. Rank the results by parking availability or distance to the nearest public/street parking, taking your car's height into account, looking through reviews for phrases you care about (soft bed, child care, ...) and many others things. So now we've got already 4+ different tools that need to work together, improving the results.

It's not just you.

However, I would say that I've grown to accept that most people prefer these more constrained models of thinking. Constraints can help free the mind up in other ways. If you do not perceive MCP as constraining, then you should definitely use it. Wait until you can feel the pain of its complexity and become familiar with it. This will be an excellent learning experience.

Also consider the downstream opportunities that this will generate. Why not plan a few steps ahead and start thinking about a consultancy for resolving AI microservices clusterfucks.

If computer use gets good enough (it isn't just yet ... but it is getting better _fast_) then it doesn't matter, you'll be able to browse the sites the same way a human does to bypass whatever shit they want to toss in your way. This makes their business models much more precarious. Also it makes removing the aggregator easier - you could search for the hotels, query their sites directly. Hotels and airlines have been trying to cut out middlemen for years, they just can't afford to lose the inbound traffic/sales it gives them. But the dynamic shifts every 5-10 years in small ways. Maybe this will be a big shift.

That said, even if the equilibrium changes from today (and I think it will) I still share your cynicism that enshittification will ensue in some form. One example right now is the increasing inability to trust any reviews from any service.

Companies that want to maintain a data moat will work to maintain that moat in the face of any new technology.

But not all data in the world is protected in that way. The use cases they promote are just easy to grasp, although they are misleading due to the reality that those examples are often ones protected by data moats.

I mean, I doubt Facebook is going to create an MCP that allows you to deeply access your social graph in a way that will allow you to bypass whatever tracking they want to do to feed their ad business. But Blender, the open source 3d application, may provide a decent MCP to interact with their application. And Wikipedia might get a few decent MCP integrations to expose their knowledge base for easier integration with LLMs (although less useful I suppose considering every LLM would be trained on that data anyway).

I guess it is just a matter of optimism vs. pessimism, (glass half empty vs. glass half full). MCP won't make data moats disappear, but they may make data that isn't behind a moat easier to work with for LLMs.

I don't buy it.

If they had an API Booking would not likely return their data to you, they would almost certainly have an API that you would search and which would then return the same result you get on their website. Probably with some nice JSON or XML formatting.

Booking makes a small amount of ads, but they are paid by the hotels that you book with. And yes, today they already have to compete with people who go there see a hotel listing and go find the actual hotel off-site. That would not really change if they create an MCP.

It might make it marginally more easy to do, especially automatically. But I suspect the real benefits of booking.com is: A) that you are perceived to get some form of discount and B) you get stamps toward the free stay. And of course the third part which is you trust Booking more than some random hotel.

I actually think it would be a good idea for Booking to have an API. What is the alternative?

I can right now run a Deep search for great hotels in Tokyo - that will probably go through substantially all hotels in Tokyo. Go to the hotel's website and find the information, then search through and find exactly what I want.

Booking.com might prefer I go go to their website, but I am sure they would prefer above all that you book through them.

In fact I think the idea of advertisement is given above impact here, possibly because its a popular way for the places that employ the kind of people who post here to make money, but substantially all businesses that are not web-based and that do not sell web-based services for free don't make their money through ads (at least not directly). For all those places ads are an expense and they would much prefer your AI search their (comparably cheap to serve) websites.

Basically, the only website owners who should object to you going to their website through an AI agent are those who are in the publishing industry and who primarily make money through ads. That is a small number of all possible businesses.

It doesn't make sense for a middleman like booking.com to let you completely bypass everything they offer.

However it certainly might make sense for an individual hotel to let you bypass the booking.com middleman (a middleman that the hotel dislikes already).

Scenario 1: You logon to booking.com, deal with a beg to join a subscription service (?), block hundreds of ads and trackers, just to search searching through page after page of slop trying to find a matching hotel. You find it, go to the hotels actual webpage and book there, saving a little bit of money.

Scenario 2: You ask your favorite Deep Research AI (maybe they've come up with Diligent Assistant mode) to scan for Thai hotels meeting your specific criteria (similar to the search filters you entered on booking.com) and your AI reaches out to Hotel Discovery MCP servers run by hotels, picks a few matches, and returns them to you with a suggestion. You review the results and select one. The AI agent points out some helpful deals and rewards programs that might apply. Your AI completes the booking.

The value that AI gave you is you no longer did the searching, dealt with the middleman, viewed the ads, got begged to join a subscription service, etc.

However to the hotel, they already don't really like booking.com middleman. They already strongly prefer you book directly with them and give you extra benefits for doing so. From the hotel's perspective, the AI middleman is cheaper to them than booking.com and still preserves the direct business relationship.

Yes, the metaproblem is: it has to make money. It turns out that "doing genuinely useful things for end users" almost never makes money. I found this out long ago when I had the experience that booking air travel for optimized cost/convenience was a total pain. I figured software can solve this, so built a ticket search engine that supported the query semantics a human typically wants. Dumb idea because you can't get the data over which to search except from airlines, and airlines know that making it convenient to find low convenient fares makes them less money. So they won't give you the data. In fact the entire problem "finding cheap convenient air fare" is actually there in support of someone else's (the airlines) business model.

What does that have to do with MCP? Those sound like things you would build on a separate layer from MCP.

> understanding the context of a conversation to adjust the tools dynamically

This just sounds like a small fine tuned model that knows hundreds of MCP tools and chooses the right ones for the current conversation.

Can you give an example where you would need to adjust tools dynamically based on context? Is that for all tools or just for some?

For example, why does a “Google search” tool need to change from context to context?

It's in there briefly in the llm limitations section.