Anthropic managed to take one of the oldest bad ideas in computing — “just let the thing run a command” — and dress it up like a modern protocol. That takes a special kind of confidence. Or blindness. Or both, which is usually how the fun disasters start.
Here’s the gist: MCP’s STDIO path lets a client launch a server by handing it a command. That sounds harmless if you’ve spent too long in product meetings and not enough time around attackers. In practice, it means the moment untrusted input reaches that field, you’ve built a little execution chute straight into the host. The handshake can fail later. Cute. The damage already happened.
OX Security’s April 2026 writeup didn’t describe a freak bug hiding in one crate or one SDK. It described a design choice that shows up in Anthropic’s Python, TypeScript, Java, and Rust implementations. They traced four exploit families, and the numbers are grotesque enough to make the whole thing feel like performance art: hundreds of thousands of servers, 150 million downloads, and a security model that seems to have been assembled from optimism and a bad afternoon.
And then Anthropic did the most on-brand thing possible: it called the behavior “expected.”
That phrase should be tattooed on every security incident report as a warning label. “Expected” is what people say when they want the conversation to stop before anyone asks who signed off on the stupidity. It is the corporate equivalent of shrugging while the kitchen is on fire and insisting the flames are part of the ambiance.
The annoying part is that the criticism here isn’t subtle. If your protocol requires every downstream app to invent its own allowlist, its own sanitization layer, its own “please don’t execute random garbage” gate, then your protocol is not safe by default. It is a liability distribution system. You didn’t solve the problem. You outsourced the blast radius.
That’s the bit everyone keeps trying to prettify. “Developer responsibility.” “Trust boundary.” “Use caution.” Fine. Also: don’t stand under a collapsing bridge and call it structural guidance.
What makes MCP especially stupid is how neatly it fits the current AI industry fantasy. We keep bolting agents onto editors, IDEs, CLIs, and automation pipelines as if giving a model more power automatically makes it useful instead of merely more dangerous. Then we act shocked when the thing that can read instructions, rewrite configs, and spawn subprocesses does exactly what a sloppy attacker would want.
This is not some philosophical edge case. It is the practical cost of pretending “local tool execution” and “internet-scale threat model” are the same sentence.
If you’re using MCP anywhere real, the correct emotional response is not excitement. It’s suspicion. Treat every command field like a loaded gun taped to a keyboard. Treat config editing like code execution. Treat prompt injection as a supply-chain problem, because that’s what it is when the model can mutate the very thing that launches tools.
Maybe that sounds harsh. Good. The industry deserves a little soreness for this one.
The fix is not a motivational poster about “safer agents.” The fix is boring and annoying and therefore unlikely to be adopted until enough people get burned: hard allowlists, signed manifests, least privilege, separate discovery from execution, and a protocol that stops pretending arbitrary shell spawning is a neutral transport feature.
Until then, MCP is exactly what it looks like: shell injection in a tie, smiling through the meeting while the floor drops out underneath it.