I think they’re saying you could start up the mcp and pass it creds/auth for some downstream service, and then the LLM uses the tool and has auth but doesn’t know the creds.

▲

simonw 6 hours ago | parent | next [-]

Right. If you're running a CLI tool that is authenticated there's effectively no way to prevent the coding agent from accessing those credentials itself - they're visible to the process, which means they're visible to the agent.

With MCP you can at least set things up such that the agent can't access the raw credentials directly.

	▲	zbentley 5 hours ago \| parent [-]
		This is right. It’s not about scoping auth, it’s about preventing secret misuse/exfil. (Moved from wrong sub)

▲

staticassertion 3 hours ago | parent | prev | next [-]

Oh. Yeah, that's neat at least. I don't think it's a big deal but that's nice enough.

▲

JambalayaJimbo 5 hours ago | parent | prev | next [-]

The MCP implementation is itself an agent right? Is that not just pushing the problem somewhere else?

Also, I run programs on my machine with a different privilege level than myself all the time. Why can’t an agent do that?

	▲	conception 5 hours ago \| parent \| next [-]
		No, mcp just is a server that returns prompts to the llm. The server can be/do whatever. You can have an echo mcp that list echoes back whatever you send it.
	▲	simonw 5 hours ago \| parent \| prev [-]
		I define the agent as the harness that runs the LLM in a loop calling tools. The MCI implementation is one of those tools. I wouldn't call an MCP implementation an agent.

▲

6 hours ago | parent | prev [-]

[deleted]