MCP Server Design · ~7 min
Wiring in a new MCP server is the moment risk concentrates. One server can quietly hand an attacker private data, untrusted input, and a way out — all three legs at once.
LLMs cannot reliably separate trusted instructions from injected ones. Once untrusted content enters context, it can influence tool calls. So MCP security isn't a prompt problem — it's an architecture problem, and the architecture lens is the lethal trifecta.
The lethal trifecta (Willison, 2025) names three capabilities that are individually fine but catastrophic together:
| Leg | What it means | Examples |
|---|---|---|
| Private data | Secrets, credentials, PII, proprietary code | .env, DB connections, internal repos |
| Untrusted input | Content the agent didn't author and can't fully trust | PR comments, issues, fetched pages, deps |
| External communication | The ability to send data outside the sandbox | HTTP tools, MCP servers with outbound calls |
A single MCP server can supply more than one leg at once — and the failure is silent. Three documented attack shapes, each closed by removing a leg:
A malicious server shadows trusted tools, reads private context, and forwards it externally. Fix: restrict the server's egress.
The agent reads an issue naming a malicious package, installs it (egress), and the package exfiltrates env vars (private data). Fix: remove egress.
One agent rewrites another's config to drop sandbox constraints — granting all three legs. Fix: protect config files from writes.
Notice the pattern: a doc-grounding or web-fetch server quietly supplies the untrusted input leg; a server with outbound HTTP supplies egress. Onboard one onto a principal that already holds private data, and you've closed the trifecta without anyone deciding to.
Audit each execution path, not each agent. Three “Yes” values demand architectural mitigation:
| Execution path | Private? | Untrusted? | Egress? | Safe? |
|---|---|---|---|---|
| Code review agent | Yes | Yes | No | Yes |
| Research agent | No | Yes | Yes | Yes |
| Deploy agent with env vars | Yes | Yes | Yes | No |
| Internal codegen | Yes | No | Yes | Yes |
For coding agents, remove egress first — most tasks need no network, and a default-deny sandbox is a deterministic control the model can't override. As a server author, this is what you build toward: scoped, short-lived credentials injected at runtime; no outbound calls the task doesn't require; config files protected from agent writes.
Tokenizing PII shifts the attack to the token resolver; sandboxing egress shifts it to sandbox-escape. Each removed leg creates a new high-value target that must itself be hardened. The trifecta is a structural heuristic, not a guarantee.
Retrieval practice — recall, don't peek
Question 1The three legs of the lethal trifecta are…
Question 2The trifecta defense is fundamentally to…
Question 3For coding agents, the leg usually cheapest to remove is…
Question 4A doc-grounding or web-fetch MCP server most often supplies which leg?
Question 5 · spaced recall from Lesson 3An MCP error meant for the agent to self-correct is signalled by…