Source · Model Context Protocol specification and docs (modelcontextprotocol.io, 2024–2025); OWASP Top 10 for LLM Applications
Why this matters
Anthropic, Model Context Protocol announcement and spec (2024–2025)An agent with no tools is a very expensive guess. Tools are how the model touches reality — reading files, querying APIs, running code. But every team that wired tools by hand rebuilt the same glue: schemas, transport, auth, error handling. The Model Context Protocol (MCP) standardizes that glue so a tool written once works with any MCP-compatible agent.
Think of MCP as "USB-C for AI tools": a common port so integrations stop being N-times-M bespoke connectors.
The concept
Model Context Protocol specification, modelcontextprotocol.io (2024–2025)Function/tool calling is the base mechanism: you describe a tool with a name, a description, and a JSON-schema of parameters; the model returns a structured request to call it; your code executes it and feeds the result back. The model does not run the tool — it asks to, and you stay in control of execution.
MCP is a protocol layered on top. Its pieces: - Host / Client — the agent application; it runs an MCP client that connects to servers. - Server — a process that exposes capabilities. Servers offer three primitives: - Tools — model-invoked actions (call an API, write a file). - Resources — read-only context the client can load (files, records). - Prompts — reusable prompt templates the server provides.
Servers communicate over a transport (local stdio, or HTTP/streamable HTTP for remote). Because the interface is standardized, the same server plugs into any MCP client.
Worked example
Model Context Protocol docs — tools, resources, and client approval flows (2025)You want your agent to answer questions from an internal wiki.
Without MCP you would write a bespoke tool, wire its schema into your one agent, and repeat for the next app. With MCP you build (or install) a wiki MCP server that exposes a search_pages tool and page resources. Now your coding assistant, your support agent, and a teammate's app all connect the same server — write once, reuse everywhere.
Safety in practice: the server declares search_pages as read-oriented; a separate edit_page tool is marked so the client requires human approval before it runs. The agent can browse freely but cannot mutate the wiki without a person saying yes.
How it connects
Anthropic MCP security guidance; OWASP LLM Top 10 — prompt injection (2025)Connecting agents to external systems safely is the crux. Tools are power, and power is risk. Practices: give each tool a tight schema and least-privilege scope; gate destructive or irreversible tools behind human-in-the-loop approval (AIS-04); validate and sanitize tool inputs and outputs; and treat tool results as untrusted data, because a malicious document could carry a prompt-injection payload aimed at your agent.
MCP does not remove these responsibilities — it standardizes where they live. The client mediates every server interaction, which is exactly the choke point where you enforce approvals, logging, and scope. Tool use is also what grounds RAG (AIS-05): retrieval is often just another tool the agent calls.
- Thinking the model executes tools itself. The model only emits a structured request; YOUR code runs it — which is exactly where you enforce auth and approvals.
- Confusing MCP primitives. Tools are model-invoked actions, resources are read-only context, prompts are reusable templates — they are not interchangeable.
- Trusting tool outputs blindly. A retrieved document or API response can contain prompt-injection; treat tool results as untrusted data, not as instructions.
- Tool/function calling: the model requests a call via a JSON-schema tool; your code executes and returns the result — you keep control of execution.
- MCP standardizes the client<->server interface with three primitives: tools (actions), resources (read-only context), and prompts (templates).
- Connect safely: least-privilege scopes, human approval for destructive tools, input/output validation, and treating tool results as untrusted (prompt-injection risk).