Yeah admittedly poor choice of words, given the security context surrounding MCP at large.

Maybe “fettered” is better?

Compared to giving the LLM full access to your machine (direct shell, Python executable as in the article), I still think it’s right way to frame MCP.

We should view the whole LLM <> computer interface as untrusted, until proven otherwise.

MCP can theoretically provide gated access to external resources, unfortunately many of them provide direct access to your machine and/or the internet, making them ripe as an attack vector.