Learn about important security best practices when integrating MCP servers with your CrewAI agents.
Stdio
transport if the server can control the command executed).MCPServerAdapter
to connect to an MCP server, ensure you know:
StdioServerParameters
is from a trusted source and has appropriate file system permissions. A malicious Stdio server script could still harm your local system.MCP-Proxy
) allows your agent to interact with ThirdPartyAPI
.MCP-Proxy
uses its own single, static client_id
when talking to ThirdPartyAPI
’s authorization server.MCP-Proxy
to access ThirdPartyAPI
on your behalf. During this, ThirdPartyAPI
’s auth server might set a cookie in your browser indicating your consent for MCP-Proxy
’s client_id
.MCP-Proxy
, but is designed to trick ThirdPartyAPI
’s auth server.ThirdPartyAPI
’s auth server sees your existing consent cookie for MCP-Proxy
’s client_id
, it might skip asking for your consent again.MCP-Proxy
might then be tricked into forwarding an authorization code (for ThirdPartyAPI
) to the attacker, or an MCP authorization code that the attacker can use to impersonate you to MCP-Proxy
.MCP-Proxy
itself should show a consent screen.localhost
) or intranet. This is particularly risky if you run an MCP server locally (e.g., for development) and an agent in a browser-like environment (though less common for typical CrewAI backend setups) or if the MCP server is on an internal network.
Mitigation Strategies for MCP Server Implementers:
Origin
and Host
Headers: MCP servers (especially SSE ones) should validate the Origin
and/or Host
HTTP headers to ensure requests are coming from expected domains/clients.localhost
(127.0.0.1): When running MCP servers locally for development, bind them to 127.0.0.1
instead of 0.0.0.0
. This prevents them from being accessible from other machines on the network.MCPServerAdapter
will respect the scheme (http
or https
) provided in the URL.ServiceA
) and simply passes it through to another downstream API (ServiceB
) without proper validation. Specifically, ServiceB
(or the MCP server itself) should only accept tokens that were explicitly issued for them (i.e., the ‘audience’ claim in the token matches the server/service).
Risks:
MCPServerAdapter
(if any) have only the necessary permissions to access the required tools.../
sequences).Stdio
) has only the minimum necessary permissions. Tools themselves should also operate with the least privilege required to perform their function.