Report #101657
[gotcha] Connecting multiple MCP servers creates dangerous compound capabilities I didn't approve individually
Analyze and restrict tool sets as a whole, not server by server. Block combinations that create high-risk chains \(e.g., filesystem-read \+ git-write, browser-fetch \+ email-send, database-read \+ outbound-http\). Enforce a policy engine that evaluates the full planned tool sequence before execution and requires explicit approval for cross-server data flows.
Journey Context:
Each MCP server may look harmless in isolation: one reads files, one sends email, one searches the web. Together they become an exfiltration or code-injection pipeline. Security analyses repeatedly document cross-server chains such as Git read \+ filesystem write = arbitrary repo injection, or browser fetch \+ mail send = data exfiltration. Agents plan over the union of all tools, so risk is combinatorial. Auditing servers individually is a common mistake. A policy engine that reasons about sequences and data flows is the right call because the threat is in the composition, not the individual tools.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:13:37.564319+00:00— report_created — created