Model Context Protocol (MCP)
Architecture
- Host — the AI application itself (e.g. Claude Desktop).
- Client — a component within the host that handles communication via the MCP protocol.
- Server — exposes tools and data from external sessions to the host.
Three Primitives Servers Can Expose
- Tools — executable actions such as file operations, API calls, and database queries.
- Resources — readable content such as file contents and data sources.
- Prompts — reusable templates for structured interaction with the language model.
# Pseudo Code — MCP Client Initialisation
async with stdio_client(server_config) as (read, write):
async with ClientSession(read, write) as session:
init_response = await session.initialize()
if init_response.capabilities.tools:
app.register_mcp_server(session, supports_tools=True)
app.set_server_ready(session)
MCP Security Risks
Authorization is AI-Mediated
- The AI application holds the credential, and the AI itself decides when to invoke a tool — user approval becomes UX-dependent rather than enforced.
- Once connected to an MCP server, the connection is already established and active; there is no per-action authorisation gate by default.
Local MCP Servers are Arbitrary Code Execution
- A local MCP server is effectively arbitrary code execution with a friendly name — it has direct access to the endpoint it runs on.
- MCP security is fundamentally a governance problem, not just a configuration one.
MCP Governance Controls
What Good Governance Looks Like
- Run MCP servers in a sandbox environment with no local system access and no access to secrets or API credentials.
- Maintain a policy that only allows approved MCP servers and providers.
- Review the approved server list every few months to remove stale or unnecessary connections.
- Use MCP Inspector to audit and inspect MCP server behaviour during development and testing.
Pickle is Code Execution, Not a Data Format
Why Pickle Files Are Dangerous
- Pickle is not a safe data format — it is code execution. Any model that triggers
REDUCE with attacker-controlled callables can execute arbitrary code during loading, before inference, before validation, and without any explicit user action.
- Safe ML pipelines treat model files as untrusted binaries, not data. Never assume a downloaded model file is safe to load directly.
Safe Model Loading Practices
- Always download models from a trusted source.
- Before loading, scan the model file using
modelscan and picklescan.
- Run local models inside a sandbox environment.
picklescan filename
modelscan filename
./run_sandboxed.sh models/modelname
Scanning Tools
PickleScan
- Built by Hugging Face specifically for Python's pickle ecosystem, targeting
.pkl, .bin, .pt, and standard PyTorch archive wrappers.
- Optimised for repository platforms and rapid triage — it is widely used as an automatic initial check when developers upload new models to the Hugging Face Hub.
ModelScan
- Developed by Protect AI as a multi-format framework scanner. It handles Python pickles as well as non-pickle formats including TensorFlow
SavedModel, Keras .h5, NumPy .npy, Sklearn, and XGBoost.
- Built with enterprise DevSecOps pipelines in mind — integrates into Git Actions or automated pipelines as a flexible Python SDK or CLI tool, outputting rich machine-readable JSON reports.
Cross-Site Scripting (XSS) in AI Contexts
How XSS Arises from Model Output
- XSS occurs when untrusted data is included in a web page without proper validation or escaping, allowing malicious scripts to execute in the victim's browser.
- When a model generates HTML or code that is rendered directly in a webpage, that output becomes an XSS vector.
- Users can also be phished by copying content from the internet that contains malicious HTML or Markdown, which is then saved into a personal database and later rendered.
Mitigations
- Sanitise all HTML before rendering it in the browser.
- Treat all model output as untrusted — validate and escape it before it reaches the frontend.