I'm not totally clear here, but it seems the author configured the MCP server to use their personal access token, and the MCP server assumed a privileged role using those credentials?
The MCP server is just the vector here. If we replaced the MCP server with a bare shim that ran SQL queries as a privileged role, the same risk is there.
Is it possible to generate a PAT that is limited in access? If so, that should have been what was done here, and access to sensitive data should have been thus systemically denied.
IMO, an MCP server shouldn't be opinionated about how the data it returns is used. If the data contains commands that tell an AI to nuke the planet, let the query result fly. Could that lead to issues down the line? Maybe, if I built a system that feeds unsanitized user input into an LLM that can take actions with material effects and lacks non-AI safeguards. But why would I do that?
The MCP server is just the vector here. If we replaced the MCP server with a bare shim that ran SQL queries as a privileged role, the same risk is there.
Is it possible to generate a PAT that is limited in access? If so, that should have been what was done here, and access to sensitive data should have been thus systemically denied.
IMO, an MCP server shouldn't be opinionated about how the data it returns is used. If the data contains commands that tell an AI to nuke the planet, let the query result fly. Could that lead to issues down the line? Maybe, if I built a system that feeds unsanitized user input into an LLM that can take actions with material effects and lacks non-AI safeguards. But why would I do that?