How enterprises can adopt Model Context Protocol safely

With AI innovations shifting toward Agentic AI, a crucial component of the AI agentic workflow is the tools and systems to enable AI to search for information or take actions on behalf of the user. One way of doing so is through the Model Context Protocol (MCP). However, as with any new technology, there are security vulnerabilities and potential exploits that an enterprise must consider while implementing its MCP adoption strategy. In drawing from the experience at Nutrient, this article will discuss the lessons learned when adopting MCP technology as an enterprise.

What is Model Context Protocol?

You can certainly read up on the official documentation(opens in a new tab) for MCP, but for the purpose of this article, MCP is a standard on how to allow LLMs to take actions. Action here can mean many things — for example:

• Fetching information from an URL
• Running a search query on a database
• Sending an email
• Modifying files

There are two parts to an MCP protocol: the MCP client and the MCP server.

The security risks of adopting MCP

Most of the security risks with MCP come from the MCP server. This is because it’s the MCP server that actually performs operations, whereas the MCP client merely calls the LLMs and handles the communication. For companies looking to use MCP servers or to build and offer MCP servers to their customers, there are different sets of considerations for each use case.

Security considerations for MCP server adopters

When you’re using MCP servers, it’s crucial to verify and vet MCP servers that come from a trusted source. Treat an MCP server like a piece of software you install on your computer, because a malicious MCP server can do as much damage as malware. Here are a few ways to find trustable MCP servers.

Use MCP servers from trusted providers

Some SaaS companies provide their users with official MCP servers. Examples include:

• Atlassian(opens in a new tab)
• GitHub(opens in a new tab)
• HubSpot(opens in a new tab)
• Nutrient

There are also registries that list official integrations, such as the official Model Context Protocol GitHub repository(opens in a new tab).

Verify open sourced MCP servers

One drawback with official first-party supported MCP servers is that most of them are MCP servers exposing the API of the first-party services. For example, the GitHub MCP server(opens in a new tab) allows an LLM to take actions similar to those that can be achieved via the GitHub API. However, if you’re interested in “utilities” — such as file system(opens in a new tab) or internet access(opens in a new tab) — you’ll have to look to open source projects. To make sure open source MCP servers are suitable for enterprise use cases, we recommend:

• Looking for projects that are maintained by reputable teams and have strong community engagement.
• Reading through the source code to make sure the MCP server is secure and up to date with security best practices.
• Once you’re confident in an MCP server, forking the repository and using your own instance to protect against malicious patches in the future.

Security considerations for MCP server developers

If you’re instead interested in creating MCP servers to offer to your customers, here are a few considerations to create a secure MCP server.

Limit the scope of the MCP tools

Given how powerful LLMs are, you might be tempted to give the AI even more controls over the MCP tools. However, we recommend avoiding these types of tools in your MCP servers:

• Arbitrary execution tools — While it’s really tempting to make MCP tools that allow LLMs to execute generated Python code, run generated queries on an SQL database, or run generated terminal commands, these MCP tools are especially vulnerable to remote code execution (RCE) attacks, either via LLM jail breaking or directly accessing the MCP server(opens in a new tab).

• Sensitive tools — Unlike the tools above, sensitive tools are working “as intended” while doing dangerous actions. This is a concern for development teams who automate their MCP creation process via tools that take an API specification and generate an MCP server. If your API contains sensitive endpoints such as creating/deleting credentials or dangerous endpoints such as deleting databases, extra care and attention must be taken to ensure the LLMs don’t accidentally leak or delete your customer data.

Prefer Standard IO over Streamable HTTP when possible

The MCP protocol supports two methods of transporting messages between client and server: Standard IO (stdio) and Streamable HTTP. Unless your use case requires using Streamable HTTP transport, such as creating a remote MCP server or managing multiple sessions, it’s recommended to run your MCP server using the stdio transport to reduce the risk of network attacks(opens in a new tab).

Keep up to date with MCP security documentation

And most importantly, MCP developers should keep up to date on the most recent security considerations from the official MCP documentation(opens in a new tab). This page contains vulnerabilities and mitigation strategies that are not discussed in this article such as DNS rebinding attacks and session hijacking.

How Nutrient adopts MCP

At Nutrient, we’re adopting MCP in the solutions we offer to customers, our open source contributions, and our internal tooling. Here are a few highlights:

• We offer MCP servers for our Document Web Service (DWS) Processor API and Document Engine, providing powerful PDF processing capabilities for AI agents.
• We open sourced the PDF MCP Server(opens in a new tab), which supports PDF document analysis and exploration to be used internally by our PDF engineering team.