Also the O is for Observability. I've been knee-deep in exploring and writing MCP servers this week. Most of the implementations, including my toy ones, do not have any auditing or metrics. Claude stores log output of the MCP servers, but that is geared more for debugging than for DevOps/SecOps.
Culturally, the issues OP describes are a big problem for soft-tech people (muggles). On the subreddits for this stuff, people are having a great time running MCP CLI programs on their machines. Much of OP security comments are obvious to developers,(although some subtleties are discussed in this thread), but these users don't have the perspective of how dangerous it is.
People are learning about Docker and thankfully Claude include its usage in their examples. But really most people are just downloading blobs and running them. People are vibe-coding MCP servers and running those blindly!
As MCP takes off, frameworks and tooling will grow to support Security, Observability, etc. It's like building web stuff in the mid-90s.
Unrelated to OP, but I gotta say, in building these it was so exciting to type something into Claude Desktop and then trigger a breakpoint in VSCode!
I'm using claude code a lot more than I expected I would. And, it has these problems exactly. It does not appear to log anything, anywhere. I cannot find a local log of even my prompts. I cannot find anything other than my credits counts to show that I used it. The coding conversation is not stored in my conversation in the webui.
I wonder if this is by design. If you are doing contracting work, or should I say, claude is doing contracting work by proxy for you (but you are keeping the money in your bank account) then this gives you a way to say "I don't know, maybe Claude did 12% of the work and I did the rest?"
openwebui and aider both have ways to log to something like datadog. So many layers of software.
I've been looking at ways to script my terminal and scrape all the textual data, a tool that would be outside of the subprocesses running inside the terminal. I really like to keep track of the conversation and steps to build something, but these tools right now make it really difficult.
One of the pet projects I have going is to try and store the interactions as a roam-style knowledge base of connected thought, with the idea that you could browse through this second brain you’ve been talking to afterwards.
Almost every time I’ve asked an LLM to help implement something I’ve given it various clarifying questions so I understand why, and digging through linear UI threads isn’t great.
A decent o11y or instrumentation layer is pretty important to do anything like that well.
If you use putty there's a way to log all output, including terminal control codes. This lets you see exactly what was happening, eg characters being deleted and the screen being wiped, and other things caused by eg curses. It's probably possible to write a playback function for this.
Yeah, feels like we’re writing web/API frameworks from scratch again without any of the lessons learned along the way. Just a matter of time though i’m hoping
We are indeed forgetting history, with most important lesson being:
How do you write a web tool that lets users configure and combine arbitrary third-party APIs, including those not known or not even existing at the time of development, into a custom solution that runs in their browser?
Answer: you don't. You can't, you shouldn't, it's explicitly not supported, no third-party API provider wants you to do it, and browsers are designed to actively prevent you from doing such a thing.
That's the core problem: MCP has user-centric design, and enables features that are fundamentally challenging to provide[0] with a network of third-party, mutually mistrusting services. The Web's answer was to disallow it entirely, opting instead for an approach where vendors negotiate specific integrations on the back-channel, and present them to users from a single point of responsibility they fully control.
Doing the same with MCP will nerf it to near-uselesness, or introduce the same problem with AI we have today with mobile marketplaces - small number of titans gate-keeping access and controlling what's allowed.
--
[0] - I'd say impossible, but let's leave room for hope - maybe someone will figure out a way.
Some built in options for simple observability integrations would be great, though I don’t think this is just an MCP problem, it’s anyone sharing libraries, templates, etc. really. Small projects (like most MCP projects) don’t tend to think about options here until they get to scaling.
Docker is literally just "download blobs and run them". Ever so helpful, Docker also silently turns off your system's firewall for you. Thanks, Docker!
That is true; and it's yet another layer to observe and secure. But it does provide a sandbox when configured properly. As an OSS maintainer of some images, I try to ensure that there are public build logs for auditors. As others noted, we are where web services were decades ago and we'll figure out better deployment models.
I didn't mean to be pejorative (vs mugblood), but meant people without programming/systems skills (the "magic") but strong computer skills. I also didn't mean they aren't capable of learning it or growing, which maybe muggle implies.
Anyway, many soft-tech people are grabbing AI tools and using them in all sorts of ways. It's a great time of utility and exploration for all of us. But by not being previously exposed to systems security, hardening, the nature of bugs, etc, they just don't know what they don't know.
All of the security problems in the Original Post are challenges to them, because they don't even know anything about it in the first place, nor how to mitigate. What is great though (apparent in those Reddit threads), is that once it is pointed out, they seem to thirst to understand/learn/defend.
I think this is, unfortunately, an optimistic, and ultimately anachronistic, perspective on our industry. I think what you describe as "soft-tech people" are in fact the overwhelming majority of junior/entry-level developers, since probably around 6mo-1y ago.
Culturally, the issues OP describes are a big problem for soft-tech people (muggles). On the subreddits for this stuff, people are having a great time running MCP CLI programs on their machines. Much of OP security comments are obvious to developers,(although some subtleties are discussed in this thread), but these users don't have the perspective of how dangerous it is.
People are learning about Docker and thankfully Claude include its usage in their examples. But really most people are just downloading blobs and running them. People are vibe-coding MCP servers and running those blindly!
As MCP takes off, frameworks and tooling will grow to support Security, Observability, etc. It's like building web stuff in the mid-90s.
Unrelated to OP, but I gotta say, in building these it was so exciting to type something into Claude Desktop and then trigger a breakpoint in VSCode!