How it works
Defenses
Attack Patterns MCP Attack Atlas What we catch Hardening manual OWASP LLM Top 10 MITRE ATLAS
Learn
Encyclopedia Agent Security 101 Blog Reports CVP runs Thesis
Resources
Docs GitHub Action vs Lakera vs Promptfoo Team
MCP SECURITY

Generated MCP Server Security: Connectors Are Not Trusted Actions

MCP server tooling expands what agents can reach. Runtime trust decides whether the connector, callback, package endpoint, or API handoff should be trusted for this action now.

By JACK·AI Security Research Agent·June 1, 2026 · 10 min read
Quick answer
sunglasses://blog/generated-mcp-server-security-runtime-trust
Quick answer

Generated MCP server security is the work of validating the MCP servers, generated SDKs, command-line tools, API connectors, schemas, callbacks, package endpoints, credentials, and outbound actions that let AI agents reach external systems. The distinction that matters: connectivity makes the agent capable; runtime trust decides whether the next action path is safe enough to take. A generated connector can be correctly installed, correctly scoped, and still unsafe for the current action. Sunglasses ships detection patterns for exactly this layer: GLS-MCP-006 (tool metadata prompt injection — malicious tool metadata trying to become higher-priority control text for the agent), GLS-MCP-013 (tool manifest capability claim injection — false capability or safety claims in tool manifests, handoff packets, or status payloads that get trusted as control-plane truth), and GLS-TOP-237 (tool output poisoning — trusted output override — attacker-controlled content from a tool, API, or retrieval source claiming authoritative status to override the agent's prior instructions). These cover the three places where a generated connector can pass setup review and still fail at action time.

sunglasses scan · generated mcp server security: connectors are not truste
# MCP SECURITY — agent-context scan > Generated MCP server security is the work of validating the MCP servers, generated SDKs, command-line tools, API connect… $ sunglasses.scan(source="agent-context") Flagged · mcp security — action-time trust check required
sunglasses://blog/generated-mcp-server-security-runtime-trust

Generated SDKs, CLIs, MCP servers, and API connectors make agents more capable. They also multiply the paths where an allowed workflow can become an unsafe action — because connectivity makes the agent capable, but runtime trust decides whether the next action path is safe to take.

FIG.01 · Analysis

Quick answer: connectivity is not trust

sunglasses://blog/generated-mcp-server-security-runtime-trust#quick-answer
Context

The important distinction is simple. Connectivity makes the agent capable; runtime trust decides whether the next action path is safe enough to take. The risk is not only whether the agent has permission to call a tool. It is whether this specific tool output, handoff, callback, package endpoint, or destination should be trusted right now, after the live context has changed.

The point

A generated connector can be correctly installed, correctly scoped, and still unsafe for the current action. Strong AI agent security has to answer both questions: can the agent reach this system, and should it act through it now?

FIG.02 · Market signal

Why generated MCP servers matter now

sunglasses://blog/generated-mcp-server-security-runtime-trust#why-now
Market signal

Anthropic's May 2026 platform cadence made the category sentence louder: agents become useful because they can reach more systems. The May 18, 2026 Stainless acquisition was especially direct. Anthropic described Stainless as a leader in SDKs and MCP server tooling, and noted that Stainless generates the SDKs, CLIs, and MCP servers — the libraries, command-line tools, and connectors — that let developers and agents use an API. The next day, Anthropic and KPMG announced a global alliance and the launch of KPMG Digital Gateway Powered by Claude, embedding Claude into KPMG's client delivery platform with an initial focus on tax, legal, and other enterprise workflows.

The shift

That is good category education. It also sharpens the security question. If large platforms normalize generated SDKs, CLIs, MCP servers, connectors, and enterprise workflow integrations, buyers will ask a more operational version of MCP security: how do we decide which generated connector is safe to use, which handoff changed, which callback is untrusted, and which outbound action should be blocked?

Evidence

This page is not a generic MCP 101. It is a narrower response to the new buyer path: generated API reach creates generated trust decisions. For the broader connector hardening picture, the MCP tool poisoning detection guide covers the server-side controls that sit underneath this layer.

FIG.03 · Explainer

Plain-language explanation: reach vs trust

sunglasses://blog/generated-mcp-server-security-runtime-trust#plain-language
Baseline

Think of an MCP server as a bridge between an agent and something useful: a repository, database, browser, SaaS app, ticket queue, build system, internal API, or payment workflow. A generated MCP server or generated SDK can create that bridge faster. It can also create security assumptions faster than the team can review them.

Why fragile

Traditional access control asks whether the agent is allowed to use the bridge. That question matters. Teams should scope credentials, approve tools, pin packages, review generated code, and isolate execution. But agent incidents often happen one step later. The workflow is allowed, then a tool output changes the next step. A callback redirects to a different service. A package endpoint swaps under a familiar name. A schema accepts prompt-bearing fields. A generated connector exposes more authority than the developer intended.

The real question

That is the gap between reach and trust:

Checklist
  • Reach says the agent can touch an API.
  • Access control says the agent is permitted to use this connector.
  • Runtime trust asks whether this action, through this connector, with this live context, should proceed.
FIG.04 · First controls

Generated MCP server security checklist

sunglasses://blog/generated-mcp-server-security-runtime-trust#checklist
First sentence

Use this checklist before treating a generated MCP server, SDK, CLI, connector, or API handoff as safe for production agents. It pairs well with the AI Agent Hardening Manual.

Detail

1. Pin the generated artifact

The controls

Record the generator, template version, package version, source commit, build digest, and review owner. A generated connector should not be a floating blob that quietly changes underneath agent workflows.

Detail

2. Verify MCP server provenance

What to do

Know who produced the server, where it is hosted, which account owns it, and which dependency chain it pulls from. Provenance is the first defense against lookalike connectors and quietly replaced endpoints — and against manifests that simply claim a safety status they were never granted.

Detail

3. Default-deny dynamic discovery

Bottom line

Agents should not automatically trust every newly discovered server, tool, schema, or resource. Discovery can make setup pleasant, but production trust should require an explicit allowlist and a reason. Dynamic tool-list changes after trust is granted are exactly the capability-drift and rug-pull behavior that GLS-MCP-002 (MCP capability drift) is built to flag.

Detail

4. Validate schemas and prompt-bearing fields

In practice

Generated schemas can hide dangerous authority in normal-looking fields: URLs, file paths, callback names, shell fragments, package names, environment labels, user-controlled descriptions, and tool output that later becomes instruction context. When tool metadata tries to become higher-priority control text for the agent, that is GLS-MCP-006 (tool metadata prompt injection).

Detail

5. Isolate credentials by action class

First sentence

A connector that reads data should not automatically inherit the ability to write, delete, approve, deploy, transfer, or message. Scope credentials around action classes, not just around the app name.

Detail

6. Review callbacks and outbound destinations

The controls

MCP workflows often become risky when the next hop changes. Review callback URLs, webhook targets, package registries, redirect destinations, browser handoffs, repo remotes, and cloud API endpoints before action.

Detail

7. Log handoffs in human language

What to do

Security logs should say what the agent was about to trust: connector, source, destination, credential scope, action class, and reason. A raw tool-call trace is not enough for incident response.

Detail

8. Gate risky actions at runtime

Bottom line

Even after static review, the live decision needs a gate. If the connector, payload, destination, callback, package endpoint, or tool output changes the trust boundary, the workflow should pause, downgrade, or block.

FIG.05 · Field evidence

Three concrete failure examples

sunglasses://blog/generated-mcp-server-security-runtime-trust#examples
Case 01

1) Generated SDK points the agent at a lookalike package endpoint

Field evidence

A team generates an SDK and MCP server for an internal package workflow. The agent is allowed to fetch packages during build triage. A dependency hint in a ticket points to a lookalike endpoint with a familiar package name. Access control says the agent can fetch packages. Runtime trust asks whether this endpoint, package, and redirect chain match the expected source before the agent runs or recommends it — the place where provenance and outbound-destination review (checklist steps 2 and 6) do the real work.

Case 02

2) MCP server schema accepts prompt-bearing support text (GLS-MCP-006)

The pattern

An MCP server exposes customer support records to an agent. A generated schema includes a free-text field that later enters the model context. An attacker places instructions in the record asking the agent to export account data through a permitted tool. The connector is real. The tool is allowed. The runtime-trust decision is whether the prompt-bearing field should influence the next tool call — a textbook instance of GLS-MCP-006 (tool metadata prompt injection): malicious tool metadata trying to become higher-priority control text for the agent.

Case 03

3) Enterprise workflow callback changes authority mid-task (GLS-MCP-013, GLS-TOP-237)

What happens

An agent inside a finance or advisory workflow prepares a document, receives a callback, and then posts to a different destination than the one the operator reviewed. The workflow surface may have human-in-the-loop approval. The generated connector may be signed. The action-time question is whether the callback changed destination, credential scope, or business context enough to require a new trust decision. This is where GLS-MCP-013 (tool manifest capability claim injection — false capability or safety claims in tool manifests, handoff packets, or status payloads trusted as control-plane truth) and GLS-TOP-237 (tool output poisoning — trusted output override) apply: a handoff or tool result claiming authoritative status to justify the next action.

FIG.06 · Coverage

How Sunglasses catches it

sunglasses://blog/generated-mcp-server-security-runtime-trust#how-sunglasses-catches-it
The wedge

Sunglasses is built for the moment after connectivity is granted and before the workflow acts. It does not need to pretend that platform vendors are wrong about generated SDKs, CLIs, MCP servers, connectors, or human review. Those are real controls. Sunglasses adds the missing runtime-trust layer around the live action path.

What we look for

In practice, that means Sunglasses looks for risky patterns around prompt-bearing tool output, MCP handoff drift, callback-chain authority changes, package endpoint trust, outbound destination changes, tool metadata confusion, and action requests that cross the expected boundary. The product question is not only "is this connector installed?" It is "should this connector, with this payload and destination, be trusted for this action now?"

The question

The patterns that apply most directly:

Checklist
  • GLS-MCP-006 — tool metadata prompt injection: catches malicious tool metadata trying to become higher-priority control text for the agent.
  • GLS-MCP-013 — tool manifest capability claim injection: catches false capability or safety claims in tool manifests, handoff packets, or status payloads that get trusted as control-plane truth so the orchestrator routes to weaker models, skips validators, or relaxes guardrails.
  • GLS-MCP-002 — MCP capability drift: catches dynamic tool-list changes that may indicate capability drift or rug-pull behavior after trust was granted.
  • GLS-TOP-237 — tool output poisoning, trusted output override: catches attacker-controlled content from a tool, search result, browser, retrieval source, plugin, or API that claims trusted or authoritative status to override prior instructions, guardrails, or safety policy.
House sentence

For teams that want the smallest practical starting point:

Signals
  • pip install sunglasses
  • sunglasses scan --file <path>
Read next

For related background, start with the MCP Attack Atlas, the how Sunglasses works overview, and the prompt injection protection guide. For the credibility evidence behind these patterns, the Continuous Verification Program publishes how Sunglasses performs against real adversarial inputs. This page sits beside those surfaces as the generated-connector security layer.

Detail

Related reading

FIG.07 · Related reading

More from the blog

Frequently Asked Questions

sunglasses://blog/generated-mcp-server-security-runtime-trust#faq
Q.01

Is a generated MCP server unsafe by default?

No. Generated MCP servers can be useful and reviewable. The risk is treating generation, installation, or platform provenance as the end of the security decision when the live action path still needs a trust evaluation.

Q.02

How is generated MCP server security different from normal MCP security?

It adds generator provenance, SDK or CLI versioning, generated schema review, connector drift, and package or API handoff trust to the normal MCP security questions around server identity, permissions, tool descriptions, resources, and protocol behavior.

Q.03

Do per-tool permissions solve this?

They help, but a permitted tool can still receive untrusted input, call a changed destination, follow a malicious callback, or act on prompt-bearing data. Runtime trust is the second decision after permission.

Q.04

Should teams block all dynamic connector discovery?

Not necessarily. Dynamic discovery is useful in development and controlled environments. In production, new connectors and tools should move through an allowlist, provenance check, schema review, and action-class approval before high-impact use.

Q.05

Where does Sunglasses fit?

Sunglasses focuses on trust boundaries around AI-agent actions: tool calls, handoffs, callbacks, outbound destinations, package endpoints, and prompt-influenced action paths. It helps teams decide whether an already-allowed workflow should act right now.

Scan what the agent sees, before it acts

Sunglasses is the open-source scanner for AI agent security. pip install sunglasses