MCP Servers Have No Security Standard — Here's Why That's a Problem

Source: Dev.to

The Problem with MCP Server Security

The Model Context Protocol (MCP) is exploding. Anthropic open‑sourced it, and now every AI agent framework is integrating it. MCP servers give LLMs the ability to read files, call APIs, query databases, execute code, and interact with the real world.

But who audits these servers?

An MCP server is essentially a trust bridge between an LLM and your infrastructure. When you connect Claude, GPT, or any agent to an MCP server, you’re granting it capabilities that can be dangerous:

• Filesystem access – read, write, delete files
• Code execution – run arbitrary commands on the host
• Network egress – send data to external endpoints
• Credential access – read environment variables, config files

There is no standard way to declare what an MCP server can do, verify those declarations, or audit whether the server’s actual behavior matches its claims. You install an MCP server, connect your agent, and hope for the best.

Why a Standard Is Needed

A proper standard for MCP server security would require:

• Capability declaration – Every server declares what it can do, at what risk level, and with what scope. Not in a README, but in a machine‑readable format that tooling can verify.
• Denied capabilities – Explicit declaration of what the server cannot and will not do. For example, a filesystem server that declares "denied": ["code_execution", "network_egress"] makes a verifiable claim.
• Audit history – When was this server last scanned? What tool was used? What was the score? If the answer is “never,” that information is critical for a deployer.
• Risk classification – Is this server minimal risk, high risk? Does it handle PII? The EU AI Act requires this classification for AI systems, and MCP servers are components of those systems.

Introducing KYA: An Open Standard for Agent Identity

We built KYA (Know Your Agent) to solve this. KYA defines a machine‑readable Agent Card—a JSON document that declares who an AI agent or MCP server is, what it can do, and how it has been audited.

KYA standard:

Generating and Validating an Agent Card

pip install kya-agent

# Generate an agent card for your MCP server
kya init --agent-id "your-org/your-server" --name "My MCP Server"

# Validate the card
kya validate agent-card.kya.json

# Score completeness
kya score agent-card.kya.json

What an Agent Card Covers

• Identity – who owns this, how to contact them
• Capabilities – what it can do, what it explicitly denies
• Security – audit history, injection‑testing status
• Compliance – EU AI Act risk classification, NIST AI RMF mapping
• Behavior – logging, rate limits, kill switch

Without a standard like KYA, the MCP ecosystem runs on trust: trust that the server README is accurate, that the developer considered security, and that no malicious tool description was injected. Trust doesn’t scale—standards do.

Getting Started with KYA

pip install kya-agent

Additional Tools

• MCP security audit: pip install mcp-security-audit
• Prompt injection detection: pip install ai-injection-guard