MCP servers give AI models ability to execute code and read files on your machine. This is powerful, but it requires a security mindset.
Here are the best practices to keep your environment safe.
1. Principle of Least Privilege
Scope your FileSystem server.
- ❌ Bad:
args: ["/"](Access to entire hard drive) - ✅ Good:
args: ["/Users/me/projects/my-app"]
Only give the AI access to the specific folder it needs to work on. If it needs access to another project, add it explicitly.
2. Read-Only by Default
If you are using a database server (Postgres/MySQL), consider connecting with a Read-Only User database credential initially. Only switch to a Write-enabled user if you specifically want the AI to perform migrations or data entry.
3. Review Tool Calls
Tools like Claude Desktop have “Human in the Loop” enabled by default. Do not turn this off globally.
When Claude says “I want to run rm -rf node_modules”, you want to be the one to click “Approve.”
4. Audit Your Servers
Open Source MCP servers are code. Before installing a random server from GitHub:
- Check the source code.
- Does it make external network calls you don’t expect?
- Does it read files outside its scope?
5. Use Environment Variables for Secrets
Never hardcode API keys in the args array of your JSON config.
- ❌ Bad:
"args": ["--api-key", "sk-123"] - ✅ Good: Use the
envdictionary in the config.
The JSON config file sits on your disk unencrypted. If you hardcode secrets, anyone with file access can see them.
Summary
MCP is safe if treated with respect. Treat an MCP server like you would a junior developer: give them access to the repo, but maybe don’t give them root access to the production server on day one.