MCP and I - Euphoric or Scared?
Late 2024 could be the time we look back on and say: "That's where we took a wrong turn with AI."
Why? In November 2024, Anthropic released its MCP protocol, enabling LLMs with agent functionality to autonomously get an overview of available tools and use them. MCP seems to be establishing itself as the standard for these tasks. And so, LLMs will break out of their text boxes and be able to influence the real world with real software. Everything will be possible: searching and modifying Spotify playlists. Generating Bring! shopping lists from recipes (I have to try this first, to get away from the dependency on the increasingly annoying Chefkoch – but that's another story), reading and altering database content; LLMs won't even have to stop at automated online banking and brokerage.
If one takes this step, releasing AI from its sandbox, then one must, of course, be very careful. Above all, one must strongly differentiate between read and write operations. If the AI is allowed to read all my emails, see my account balance, that's one thing. If it writes emails in my name, changes my account balance, that's entirely different.
Therefore, one could, for example, have the server respond by indicating which tools change the server's state and which are harmless. Perhaps even different levels of critical changes (creating a new file is less severe than deleting a file). One could also build into the communication between client and server that the server can query the client for critical changes (and the client asks the user, not the LLM).
Of course, Anthropic's MCP specification does none of this.
The client, according to the documentation, should take care that nothing bad happens.
Well, great.
Nevertheless, there is also a lot of potential in MCP – hundreds of MCP servers are waiting to teach LLMs the corresponding tools. In this respect, Anthropic's decision is clever – such a simple protocol, which can be implemented (with AI help) in hours rather than weeks, is good for getting this protocol widely supported by tools. Just not secure.