MCP Security Risks Multiply With Each New Agent Connection
Anthropic’s Model Context Protocol (MCP) has established itself as the de facto standard for connecting AI agents to tools, data and other services. But, at least in its early days, MCP security always felt like a bit of an afterthought. For this week’s The New Stack Agents podcast, we talked to Tzvika Shneider, the CEO and co-founder of Pynt, a startup that launched with a focus on securing APIs and now also includes support for securing the end-to-end MCP chain.
When it comes to security, Shneider sees MCP as a natural evolution of APIs. “End of 90s, 2000-something, we started with web development. After that, around a decade ago, a bit more, a bit less, started moving to APIs. Some of them were old. After a couple years, more modern APIs. And now, in recent years, in the two and a half recent years, we see LLM APIs, and now we see the next jump to MCP and agents. But in the end, everything is a piece of code being compiled and being built,” Shneider said.
It’s the use of AI agents — and giving those agents access to multiple MCP servers — that also increases the security risk, Pynt’s research recently found. The majority of MCP plugins (72%), the company found, expose operations like executing code or calling high-permission APIs, for example, all while missing approval checkpoints and runtime validation. The real risk, though, is combining one agent that gets untrusted input from an MCP server with another one that then has privileged execution rights. Unsurprisingly, the more MCPs you add, the higher the risk.

Image credit: Pynt.
In part, this is because unlike traditional, deterministic APIs, MCP calls are made by AI agents, making it harder to put guardrails around their outputs.
It doesn’t help that most companies don’t have plans for MCP security yet, though Shneider also noted that (thankfully), exploiting MCP is still a rare phenomenon.
“The main problem is still around API security — it’s still around APIs,” he said. “I think MCP just emphasized problems, because now you have more APIs, and if now there is really uncontrolled data sending from one agent to another agent, working together with their own reasoning, so it can go a lot of different ways. I can tell you that I see right now, organizations [are] really starting working on their plan. I don’t see any organization today that has a mature plan of MCP security yet.”
For our full discussion with Shneider, including segments about LLM security and prompt injection attacks, how to balance innovation and development speed with security and more, have a listen to our podcast or watch our recording on YouTube.