AI Agent Has Root Access (and That's a Problem)
TL;DR
Connect a Postgres MCP server for read access and you also get DELETE, DROP TABLE, and arbitrary SQL execution — with no way to restrict it.
Key Points
- GitHub MCP for code reading ships with delete_repository. Slack MCP for search includes remove_user and delete_channel.
- A scan of 1,808 MCP servers found: 66% had security findings, 30 CVEs in 60 days, 76 published skills contained malware — 5 of the top 7 most-downloaded skills were malicious.
- Claude, Cursor, ChatGPT — all follow the same all-or-nothing model. Granular permission scoping does not exist in any major platform.
- Aerostack built a gateway workaround: per-tool toggles, destructive ops blocked by default, enforced at the proxy layer.
Nauti's Take
This is not an edge case — it is systemic design failure at scale. When 5 of the 7 most-downloaded skills are malware, the ecosystem does not have a security problem; it has no security concept at all.
Platform vendors have a clear responsibility here that they have so far offloaded to the community. Gateway-level workarounds like Aerostack's are clever, but they are treating symptoms.
Until major providers ship native, granular tool-permission models, every production deployment of MCP agents is a calculated risk — and most teams are not doing the calculation.
Sources