📅 Aug 26, 2025 ✍️ Cybernoz 📁 Mix 💬 0 ⏱️ 3 min

MCPs are just other people’s prompts and other people’s APIs

MCPs are just other people's prompts and other people's APIs

MCP Trust Layers - Every handoff is a loss of control

I’ve been thinking about Model Context Protocols (MCPs) for months, and here’s the simplest way to explain what they actually are:

MCPs are other people’s prompts and other people’s APIs.

That’s it. That’s the whole thing.

We run other people’s code all day long. Nobody writes every line from scratch. The real question is: what’s the risk, and have you actually thought about it?

Understanding the MCP trust stack

When you use an MCP, there are distinct layers of abstraction happening.

Layer 1: The API Call

First, you’re making API calls to a third party. Fine. We do that constantly. Nothing new here.

Layer 2: The Hidden Prompt

But here’s what most people miss: those API calls get filtered through a prompt.

When you hit an MCP, it’s not you hitting it. It’s an agent. Your AI talks to their AI. And their AI is controlled by a prompt that you don’t see by default, and can’t control.

Layer 3: The Redirect

From there, it redirects your AI to execute commands somewhere else. Your agent does what their agent tells it to do, at least temporarily.

Every handoff in the MCP chain is a potential attack vector. Your AI talks to their prompt, which talks to their code, which sends your agent off doing something.

The risk calculation

So, are MCPs dangerous?

They’re other people’s code. That should tell you everything.

But let’s be specific about the risks:

  1. Prompt Injection Potential: Their prompt could be designed to manipulate your AI’s behavior
  2. Data Leakage: Information flows through systems you don’t control
  3. Execution Hijacking: Commands could be redirected to unintended targets

The Deception Surface

There’s a chance to get tricked into revealing sensitive data, bamboozled into executing harmful commands, or manipulated into trusting malicious responses. The creativity of attackers is unbounded.

This isn’t necessarily bad. But if you don’t understand what’s happening, then it becomes a problem.

How to think about MCP risk

Here’s a simple framework for thinking about MCP risk:

  1. Remember that it’s third-party controlled
  2. Keep in mind it’s not just API calls
  3. It’s actually API calls routed through AI via a prompt
  4. You have to assess the risk of one AI talking to another AI before the API calling even starts

So that’s pretty much it.

MCPs are you sending your AI to hit someone else’s APIs via someone else’s AI.

Assess and use accordingly.


Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.