Is it safe to let an AI agent call an MCP tool?
Short answer: no MCP tool is verifiably "safe," because "safe" is not a property you can prove about a remote tool you did not write. What you can do is bound the risk. Know what each tool is able to do before you connect it, pin the contract it declared, and hold the call if that contract later changes.
Why "safe" is the wrong question
An MCP tool is described to your agent as a name, parameters, constraints, and annotations. That description is a claim, not a guarantee. The server is remote and can change what the tool does after you connect it, with no version bump your client notices. So the honest question is not "is this tool safe," it is "do I know what this tool can do, and will I notice if that changes."
Three things you can actually check
- Blast radius. Before you trust a tool, know its class of action: does it read, write, delete, or send data off your machine, and is that action reversible. A tool that can delete files or move money is a different risk than one that reads a record.
- Contract integrity over time. Pin the tool's declared contract on first sight and diff it on every later call. A tool that quietly redefines itself, same name, now writes instead of reads, is caught as a specific change rather than waved through.
- The auth gap. Authentication and allow-lists answer who may call a tool. They do not tell you the tool still does what it claimed. A fully authorized call to a server that changed its contract passes every auth check you have.
What this does not do
None of this is a safety verdict. A pinned, blast-radius-labeled tool with an honest description can still be a high-capability tool you should think twice about granting. The point is to make the decision with the facts in front of you, not to outsource it to a green checkmark.
See it for your own setup
Paste your mcp.json into the blast-radius scan to see, per tool, what your agent can actually do. If you already run tools in Cursor, Claude Desktop, Cline, or Zed, the drift gate pins each contract and holds the call when it changes.
- Is it safe to let an AI agent call an MCP tool?
- No MCP tool is verifiably safe, because safety is not a property you can prove about a remote tool you did not write. What you can do is bound the risk: know each tool's blast radius before connecting it, pin the contract it declared, and hold the call if that contract later changes.
- What is an MCP tool's blast radius?
- Its class of action: whether the tool reads, writes, deletes, or sends data off your machine, and whether that action is reversible. A tool that can delete data or take irreversible actions is a higher-risk grant than one that only reads.
- Does authentication or an allow-list make an MCP tool safe?
- No. Authentication and allow-lists answer who is allowed to call a tool. They say nothing about whether the tool still does what it declared when you connected it. A fully authorized call to a server that quietly changed its contract passes every auth check you have.
- Can an MCP tool change what it does after I connect it?
- Yes. MCP servers are remote and can change a tool's contract with no version bump your client notices. A tool described as read-only on Monday can be redefined to write on Tuesday under the same name, and your agent will call it with the old assumptions unless something pins and diffs the contract.