Martin Milani wrote today: “MCP gives agents tools to read your files, read/send your emails, and query IT systems. It’s what makes agents actually useful. It’s also a wide-open door. There’s no inherent concept of security in MCP. No framework. No trust hierarchy. No way for the agent to distinguish between “my user told me this” and “a webpage told me this.” They land in the same context window with the same authority.

Malicious font files injected into webpages could manipulate agents into leaking sensitive data through MCP-enabled tools. The trap reads the page. MCP executes the action. Data leaves the building. Nobody noticed.

Every enterprise MCP implementation is custom. Every implementation is different. There is no standard security framework. Which means there is no standard defense. Attackers need to find one gap in one implementation. Defenders need to secure all of them. The era of AI viruses has begun.” Link