Navigating the API Security Risks of MCP in the Age of Agentic AI

By Bill Doerrfeld, Editor-in-Chief, Nordic APIs
As presented at APIsec|CON 2025

Introduction: From API Sprawl to AI Security

At APIsec|CON 2025, Bill Doerrfeld, veteran tech journalist and Editor-in-Chief of Nordic APIs, returned to explore an urgent new frontier: the security implications of Model Context Protocol (MCP)—an emerging standard at the intersection of APIs and agentic AI. Following his 2024 talk on API sprawl, Doerrfeld dives into how AI agents are increasingly using APIs to interact with real-world tools and data, and why this next wave of automation demands a renewed focus on security.

What Is MCP and Why Should You Care?

Model Context Protocol (MCP) is an open-source framework developed by Anthropic that enables AI agents to interact with APIs, services, and tools in a structured, active manner—not just reading data, but also performing write operations. Think of it as the "USB-C for AI"—a standard that lets agents connect to services in a predictable way.

Major players like OpenAI and Google have already embraced MCP, and developers are rapidly deploying thousands of MCP servers to power autonomous agents that drive customer service, backend automation, DevOps, and more.

🔎 But here's the rub: MCP may accelerate innovation—but it also dramatically expands the attack surface.

The Rise of Agentic AI: From Chatbots to Action-Oriented Agents

Doerrfeld highlights that agentic AI is evolving beyond static chatbots. With tools like MCP, AI agents can now:

• Chain together API calls
• Automate complex workflows
• Interact with other agents and services
• Execute real-world actions—not just return answers

Enterprises are already deploying AI agents at scale. According to Doerrfeld's research, leaders at companies like ServiceNow are “infusing AI agents everywhere to reimagine how we work.” Salesforce predicts 1 billion agents in production by the end of next year.

But as AI agents take action, they must do so securely—especially when APIs are involved.

MCP Security Risks: Tool Poisoning, Rug Pulls, and RCE

Despite its promise, MCP carries serious risks. Here are four major vulnerabilities identified by researchers:

1. Tool Poisoning
   Untrusted MCP servers can inject malicious instructions into tool descriptions, enabling indirect prompt injections and stealthy data exfiltration.
2. Rug Pulls
   Trusted tools can turn malicious after being integrated—classic supply chain attack territory.
3. Tool Shadowing
   Malicious tools can masquerade as trusted ones, redirecting requests and causing unexpected interactions or even man-in-the-middle attacks.
4. Remote Command Execution (RCE)
   Shockingly, 43% of MCP servers tested allowed command injection. This opens the door to arbitrary code execution on live systems.

These vulnerabilities are exacerbated by the lack of default authentication in many MCP servers.

Security Best Practices for MCP and Agentic AI

Doerrfeld outlines a growing consensus among security professionals:

Don’t Connect AI Agents Directly to Production APIs

• Use API gateways to enforce access control and rate limiting.
• Introduce abstraction layers to decouple LLMs from critical systems.

Scan and Verify MCP Servers

• Use open-source tools like MCPScan to audit third-party MCP servers.
• Avoid unvetted packages and watch out for typo-squatting and supply chain abuse.

Apply API Security Fundamentals

• Follow the OWASP API Security Top 10 to enforce:
  • Strong authentication and authorization
  • Principle of least privilege
  • Monitoring and logging
• Treat MCP servers as OAuth resource servers, not identity providers.

The Path Forward: Secure by Design

While some argue the vulnerabilities lie more in the AI model behavior than MCP itself, Doerrfeld emphasizes that secure deployment is key. Anthropic has signaled future improvements, including:

• Standardized registries for MCP tools
• Version control best practices
• Authentication plug-ins
• Community contributions via open source

For API-first organizations already following security best practices, the message is clear: you’re better prepared than most.

Final Thoughts: APIs Are the Key to Unlocking—and Securing—Agentic AI

MCP may become the backbone of the AI-native internet, but it must be secured from the ground up. As AI agents proliferate, API security is no longer optional—it’s existential.

"The future of agentic AI depends on secure, structured, API-first architectures."

AppSec and DevSecOps teams must stay ahead of this rapidly evolving threat landscape—because what’s empowering automation today may expose your systems tomorrow.

📥 Resources

• 🎥 Watch the full session on YouTube
• 📄 Read the original research by Invariant Labs
• 🛠️ Explore the MCPScan tool on GitHub
• 📚 Subscribe to Nordic APIs

About the Speaker

Bill Doerrfeld is a veteran tech journalist and Editor-in-Chief of Nordic APIs, the #1 API blog according to Feedspot. He contributes to InfoWorld, The New Stack, CIO.com, and more. Follow him on LinkedIn and Feld.io for future insights on API security, developer strategy, and AI.

‍