Security playbook · Skippy's MCP Portal

Listen, monkeys: MCP is a trust machine. These threats are not theoretical — they are what happens when you skip chapters and ship anyway.

Threat: tool poisoning via descriptions

Poisoned metadata flows into planner context.

Allowlist servers, review diffs, separate trust tiers, strip or summarize tool metadata for planners.

User/model input reaches filesystem without jail.

path.resolve, enforce root, reject .., deny symlinks escaping root.

Block private IPs, validate URLs, require explicit egress allowlists per tool.

Redact patterns, structured logging, never echo env wholesale.