Report #101659
[gotcha] MCP servers quietly accumulate permissions until the agent has far more agency than intended
Apply least-privilege scoping at the tool, server, and OAuth scope levels. Grant each MCP server only the scopes it needs, expire temporary credentials automatically, review connected servers weekly, and revoke servers that are unused or over-privileged. Treat each tool as a capability that can be exploited if the agent is prompt-injected.
Journey Context:
MCP servers are often installed for a narrow task but request broad scopes at connect time, and users rarely revoke them. Over time an agent may hold read/write access to email, code repositories, cloud infrastructure, and calendars simultaneously. OWASP classifies this as privilege escalation via scope creep for MCP and excessive agency for LLM applications. The danger is compounded by prompt injection: an attacker who hijacks the model can use every over-scoped tool. Least-privilege, automated scope expiry, and regular access reviews are the right call because they limit what a compromised or manipulated agent can actually do.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:13:53.699767+00:00— report_created — created