This is an article that rehashes a fact that has been known for a long time: when you give an AI permissions to do anything beyond read-only stuff to an MCP server, you better be careful.

We’re currently in the “prioritize features/functionality over security” phase with AI, I believe things will get formalized in a few years and this problem will get solved.

In the meantime, be careful.