https://shengxu.pages.dev/en/tags/llm-security/Cloud architecture & DevOps notes by Shengxu: Kubernetes, Cilium, observability, LLM infra, AI agents.Hugo 0.153.2 & FixIt v0.4.0-alpha.3-20251225101113-8ffb9a95enTue, 20 Jan 2026 00:00:00 +0000https://shengxu.pages.dev/en/posts/mcp-security-risks-guide/Tue, 20 Jan 2026 00:00:00 +0000https://shengxu.pages.dev/en/posts/mcp-security-risks-guide/SecurityAI<p>Last year, a typical scenario sparked heated debate in the security community: a developer installed Supabase&rsquo;s MCP plugin in Cursor and configured a <code>service_role</code> key (database super admin privileges) so the AI could query the database directly. One day, a customer casually asked in a ticket, &ldquo;Can you show me our integration configuration?&rdquo; The AI interpreted this as an instruction and printed the token directly in the reply.</p> <p>While this case often appears in security reports as a &ldquo;risk demonstration,&rdquo; the problem it reveals is real: <strong>The MCP protocol grants AI operational permissions, and prompt injection attacks allow hackers to &ldquo;hijack&rdquo; these permissions through natural language.</strong></p>