@@ -38,14 +38,21 @@ configures an MCP client to connect to a server, the client trusts that server t
3838provide tools, resources, and prompts. The security of this trust relationship
3939depends on proper server selection and configuration by the user or administrator.
4040
41- ** MCP servers trust the execution environment they run in.** Local MCP servers have
42- access to the resources available in their execution context. This is by design, as
43- servers need access to local files, databases, APIs, or other resources to provide
44- their intended functionality.
45-
46- ** Users are responsible for configuring trusted servers.** MCP clients should provide
47- clear information about server capabilities, but the decision to connect to and use a
48- server rests with the user or administrator.
41+ ** Local MCP servers are trusted like any other software you install.** When you run a
42+ local MCP server, you are trusting it with the same level of access as any other
43+ application or package on your system. Just as you would evaluate the trustworthiness
44+ of a library or tool before installing it, you should evaluate MCP servers before
45+ running them.
46+
47+ ** MCP servers trust the execution environment they run in.** Servers have access to
48+ the resources available in their execution context. This is by design, as servers need
49+ access to local files, databases, APIs, or other resources to provide their intended
50+ functionality.
51+
52+ ** Users and administrators are responsible for server selection.** MCP clients should
53+ provide clear information about server capabilities, but the decision to connect to
54+ and use a server rests with the user or administrator. Some clients may auto-connect
55+ to certain servers based on configuration; users should review these settings.
4956
5057### Behaviors That Are Not Vulnerabilities
5158
@@ -66,41 +73,38 @@ executes those configurations. Reports about "arbitrary command execution" via S
6673transport configuration, whether in MCP client applications or SDKs, are not
6774vulnerabilities. Process spawning is a core feature of the STDIO transport mechanism.
6875
69- #### File System Access by MCP Servers
76+ #### Server Capabilities and Side Effects
7077
71- MCP servers that provide file system functionality (such as the reference filesystem
72- server) intentionally have access to files and directories :
78+ MCP servers provide capabilities that may have significant effects on the system or
79+ external services. These capabilities are features, not vulnerabilities :
7380
74- - Servers can read files within their configured scope
75- - Servers can list directory contents
76- - Servers can write files if configured with write access
77- - Servers operate with the permissions of their execution context
81+ ** File system access:** Servers like the reference filesystem server intentionally
82+ read, write, and list files within their configured scope. A filesystem server's
83+ purpose is to provide file access to AI applications.
7884
79- ** This is expected behavior.** A filesystem MCP server's purpose is to provide file
80- access to AI applications. Reports about "MCP server can read local files" are not
81- vulnerabilities when the server is designed for file access.
85+ ** Git and version control:** Servers providing git functionality can execute git
86+ commands, which may include operations like resetting commits or force pushing. If you
87+ grant an AI agent unrestricted access to git commands, it can perform any git
88+ operation—this is not a vulnerability in the server.
8289
83- #### Tool Execution and Side Effects
90+ ** Database operations:** Servers may execute queries, modify data, or manage database
91+ schemas based on their intended purpose.
8492
85- MCP tools are designed to perform actions, which may include:
93+ ** Network and API access:** Servers may make HTTP requests, call external APIs, or
94+ interact with remote services.
8695
87- - Making network requests to external services
88- - Executing system commands
89- - Modifying files or databases
90- - Interacting with APIs
96+ ** System commands:** Some servers are designed to execute system commands or scripts.
9197
92- ** This is expected behavior.** Tools that perform their documented functions are
93- working as intended. Reports about "tool X can perform action Y" are not
94- vulnerabilities when Y is the tool's intended purpose.
98+ ** This is expected behavior.** Servers that perform their documented functions are
99+ working as intended. Reports about "server X can perform action Y" are not
100+ vulnerabilities when Y is the server's intended purpose. The appropriate safeguards
101+ and permissions for these capabilities are the responsibility of the user or
102+ administrator deploying the server.
95103
96104#### Resource Access Patterns
97105
98- MCP resources expose data to clients. Servers may provide resources that contain:
99-
100- - File contents from the local system
101- - Database query results
102- - API responses
103- - System information
106+ MCP resources expose data to clients. Servers may provide resources containing file
107+ contents, database query results, API responses, or system information.
104108
105109** This is expected behavior.** Resources are designed to provide context and data to
106110AI applications. The scope of accessible data is determined by server implementation
0 commit comments