--- title: "AI Agent Has Root Access (and That's a Problem)" slug: "ai-agent-has-root-access-and-thats-a-problem" date: 2026-03-26 category: community tags: [anthropic, agents] language: en sources_count: 1 featured: false publisher: AInauten News url: https://news.ainauten.com/en/story/ai-agent-has-root-access-and-thats-a-problem --- # AI Agent Has Root Access (and That's a Problem) **Published**: 2026-03-26 | **Category**: community | **Sources**: 1 --- ## TL;DR - Connect a Postgres MCP server for read access and you also get DELETE, DROP TABLE, and arbitrary SQL execution — with no way to restrict it. --- ## Summary - Connect a Postgres MCP server for read access and you also get DELETE, DROP TABLE, and arbitrary SQL execution — with no way to restrict it. - GitHub MCP for code reading ships with delete_repository. Slack MCP for search includes remove_user and delete_channel. - A scan of 1,808 MCP servers found: 66% had security findings, 30 CVEs in 60 days, 76 published skills contained malware — 5 of the top 7 most-downloaded skills were malicious. - Claude, Cursor, ChatGPT — all follow the same all-or-nothing model. Granular permission scoping does not exist in any major platform. - Aerostack built a gateway workaround: per-tool toggles, destructive ops blocked by default, enforced at the proxy layer. --- ## Why it matters Connect a Postgres MCP server for read access and you also get DELETE, DROP TABLE, and arbitrary SQL execution — with no way to restrict it. --- ## Key Points - Connect a Postgres MCP server for read access and you also get DELETE, DROP TABLE, and arbitrary SQL execution — with no way to restrict it. - GitHub MCP for code reading ships with delete_repository. Slack MCP for search includes remove_user and delete_channel. - A scan of 1,808 MCP servers found: 66% had security findings, 30 CVEs in 60 days, 76 published skills contained malware — 5 of the top 7 most-downloaded skills were malicious. - Claude, Cursor, ChatGPT — all follow the same all-or-nothing model. Granular permission scoping does not exist in any major platform. - Aerostack built a gateway workaround: per-tool toggles, destructive ops blocked by default, enforced at the proxy layer. --- ## Nauti's Take This is not an edge case — it is systemic design failure at scale. When 5 of the 7 most-downloaded skills are malware, the ecosystem does not have a security problem; it has no security concept at all. Platform vendors have a clear responsibility here that they have so far offloaded to the community. Gateway-level workarounds like Aerostack's are clever, but they are treating symptoms. Until major providers ship native, granular tool-permission models, every production deployment of MCP agents is a calculated risk — and most teams are not doing the calculation. --- ## FAQ **Q:** What is AI Agent Has Root Access (and That's a Problem) about? **A:** - Connect a Postgres MCP server for read access and you also get DELETE, DROP TABLE, and arbitrary SQL execution — with no way to restrict it. **Q:** Why does it matter? **A:** Connect a Postgres MCP server for read access and you also get DELETE, DROP TABLE, and arbitrary SQL execution — with no way to restrict it. **Q:** What are the key takeaways? **A:** Connect a Postgres MCP server for read access and you also get DELETE, DROP TABLE, and arbitrary SQL execution — with no way to restrict it.. GitHub MCP for code reading ships with delete_repository. Slack MCP for search includes remove_user and delete_channel.. A scan of 1,808 MCP servers found: 66% had security findings, 30 CVEs in 60 days, 76 published skills contained malware — 5 of the top 7 most-downloaded skills were malicious. --- ## Related Topics - [anthropic](https://news.ainauten.com/en/tag/anthropic) - [agents](https://news.ainauten.com/en/tag/agents) --- ## Sources - [AI Agent Has Root Access (and That's a Problem)](https://news.ycombinator.com/item?id=47530428) - Hacker News AI --- ## About This Article This article is a synthesis of 1 sources, curated and summarized by AInauten News. We aggregate AI news from trusted sources and provide bilingual (German/English) coverage. **Publisher**: [AInauten](https://www.ainauten.com) | **Site**: [news.ainauten.com](https://news.ainauten.com) --- *Last Updated: 2026-03-26*