6. Over-permissive Marketplace Installations
6. Over-permissive Marketplace Installations
Attack: An organization installs an MCP Server from a public registry without validating its scope or capabilities.
Impact: Server has permission to call outbound APIs, access local file system, or leak data to attacker domains.
Mitigation:
- Only install verified packages (e.g., signed, reviewed)
- Run servers in isolated containers with strict runtime permissions
- Use runtime permission manifest (similar to Android apps)