> This problem is as old as software.
Sure, I agree, and the problem is absolutely magnified by AI. If a back door gets into Thunderbird, or Google decides to start scanning and sharing all of your email, that’s one point of failure.
An MCP may connect to any number of systems that require a level of trust, and if any one thing abuses that trust it puts the entire system at risk. Now you’re potentially leaking email, server keys, recovery codes, private documents, personal photos, encrypted chats - whatever you give your AI access to becomes available to a single rogue actor.
Giving AI agents permission to do things on your behalf in your computer is obviously dangerous. Installing a compromised MCP server is really the same as installing any compromised software. The fact that this software is triggered by the user or an agent doesn't really change anything. I don't think that humans are more able to decide not to use a tool that could potentially be compromised, but that they have chosen to install already.