Shell Access, File Writes, and Other MCP Red Flags

Dangerous capabilities in MCP refer to tools that provide shell command execution, file system access, or other system-level operations that could be exploited by a malicious server to compromise your environment.

What counts as a dangerous capability

Our scanner flags tools that match these patterns:

• >Shell execution like run_script, execute_bash, exec_command, shell
• >Code evaluation like eval, execute, or tools described as running "arbitrary code"
• >File system access for tools that read, write, or delete files
• >System commands for anything described as running "system commands" or "bash commands"

What an attacker can do with these

An MCP tool with shell execution access can read sensitive files (~/.ssh/id_rsa, ~/.aws/credentials, .env), download and execute arbitrary binaries, pipe your files to an external server, change configurations, install backdoors, or use your machine as a launchpad for network attacks.

That's a lot of surface area from a single tool permission.

Not all dangerous tools are malicious

Some legitimate MCP servers (like code assistants or DevOps tools) genuinely need these capabilities. The key is informed consent: knowing what a tool can do before granting access.

Staying safe

Only connect to MCP servers from trusted sources. Review tool descriptions and capabilities before connecting. Use sandboxed environments for untrusted MCP servers, and limit your agent's permissions to the minimum needed for the task.