MCP servers can’t be the future, can they?
Posted by kabooozie@reddit | programming | View on Reddit | 228 comments
From what I understand, an MCP server is just like a really badly slopped together RPC protocol that gets LLMs to interact with other systems.
So…we are just going to run dozens or hundreds of MCP servers locally for our LLMs to access all the tools? This can’t be what AI hypers believe the future is going to be, is it? We are going to burn GPU cycles instead of just making a database call with psql? This can’t be the way…
EventSevere2034@reddit
My issue with MCP is that the LLM is in the driver's seat. LLMs are not turing complete and have a limited capacity for reasoning, however they do have an insane amount of information and are very good at taking unstructured data and structuring it. The fact that MCP is built around the idea that the LLM is the part that reasons and creates the final result seems to be designed to maximize the consumption and production of tokens (which obviously the AI companies want since that's what they charge for).
I wouldn't trust this methodology with domains that require little to no hallucinations.
kabooozie@reddit (OP)
Ding ding ding. The assumption is the LLM will execute the logic, sometimes defining and executing the logic on the fly.
I like your idea to use LLMs to do what they are good at, like structuring unstructured data (and then perhaps run some data validation logic to make sure), as part of a more deliberately designed business application.
Unfortunately, as you point out, that doesn’t maximize the number of tokens used and doesn’t fulfill the goal of replacing human labor with autonomous AI agents.
tmetler@reddit
My perspective is that MCP is basically just OpenAPI for tool calls. It's useful and the self discovery mechanism is nice, but it's just a protocol wrapper around APIs. It's a nice convenience, but we were already using API wrapper tool calls before MCP so it doesn't enable anything new. I still like it though, just like I like OpenAPI.
Pleasant-Photo-9933@reddit
Interesting to see all these discussions as we are releasing our own MCP server.
scruffles360@reddit
Maybe the MCPs you see are different than that I’ve seen, but most of ours are just wrappers around API calls with some extra prompts and context for the agent. They’re still just as secure as the API. They still use oauth tokens restricted by the users access.
Also servers can be entirely remote. The dozens of “servers” configured can just be URLs. No gpu need (for the MCP at least).
Antique-Clothes-6603@reddit
I agree to this
CitrusShell@reddit
Quite often, outside of Fortune 500 sized companies, devs have fairly high levels of access to some systems, on the basis that we broadly trust them - access which should probably not be given to an LLM (and by extension an external company) to do whatever it wants with. My team has permissions to do things that could cause some serious harm to systems, so an MCP that e.g. allows arbitrary network access authenticated with my personal details is a serious security risk.
Perhaps it makes more sense in companies where you can limit specific tools to have precisely the limited read-only access they need, but realistically, that isn't most companies.
dem_eggs@reddit
I think a lot of companies are in for a series of rude awakenings as the product management vision for these sorts of things runs into the security reality - all output from an LLM needs to be treated like it's material recovered from Chernobyl, but that's in conflict with things being magical and you just telling the computer what to do and it automatically figuring it out. "Agentic" things from what I've seen so far are even worse than the run of the mill AI features folks are adding.
Maybe some huge company will fuck up badly and publicly enough that we'll snap back to reality but for the forseeable future I think the only sane move is to disable nearly every GenAI feature made available to me.
cedarSeagull@reddit
Should probably add that in many fortune 500 companies the access is just sloppy and devs often find themselves deeply overpermissioned. Fortune 500 just means the business succeeded one way or another, not that the technical execution was clean. At Google you'll find that things are locked down well, at Kroger... probably not so much.
StoicNaps@reddit
I've worked with multiple fortune 500 companies and am currently now. My experience has been when they get to that level they hire top quality individuals to architect their software and security become paramount. I'll grant that this may not be the case across the board, I've worked for only 3 of them, but that's just been my experience.
jarf1337@reddit
Kroger is very tech forward. I'd make that accusation at someone like Lowe's instead
Ran4@reddit
Devs being overpermissioned (...and underpermissioned) is a thing absolutely everywhere, at all scales.
In theory, that's something to be upset about, but in practise that's just how it's going to be. At no point will user permissions ever be exactly matching.
cedarSeagull@reddit
Could not agree more.
TheRealStepBot@reddit
I mean that’s sort of the point of the mcp server, no? It’s precisely another layer you can use to explicitly limit access without needing to rework the whole api. You can create all sorts of interesting authentication and rbac flows that you use to constrain access even further but immediately you already can say this is an llm doing this, don’t give it that access.
SanityInAnarchy@reddit
Every time these come up, I ask how we're going to sandbox these "agents", and the answer is always the same: We aren't. The LLM is going to be able to do whatever it "wants", including running any local shell command it can trick the user into approving.
scruffles360@reddit
Absolutely. No way I would give an agent access to an api that wasn’t properly locked down. That said I am in one of those giant enterprises, and all our apis have user permission that lock access down petty well - usually both per property and per record.
We also haven’t been giving MCPs write access (even when properly locked down) unless it’s for something completely benign. Not every agent has support to prompt the user with confirmation before making changes. I suspect that will improve over time though.
CraigOpie@reddit
The most correct explanation on here. I’m not sure where OP is getting his understanding of MCP.
Cualkiera67@reddit
MCP is just a protocol for json bodies as far as i understand.
What i don't get us what is a "local server". The point of client server architecture is to communicate 2 remote machines no? If you just have one local machine, why bother splitting? It's like taking half of your code are placing it in another process for some reason...
scruffles360@reddit
MCP supports different transports so you can have everything local or separated into a multi tier stack. Maybe you have three agents and good control over them. Maybe you have thousands and updates would be a pain. You have options either way.
gjionergqwebrlkbjg@reddit
Why have two different methods of doing the same? You still use IPC of some sort to interact with your own postgres, why would MCP be different?
redactedbits@reddit
I mean, this subreddit isn't a big fan of AI. I'm not surprised to see this kind of understanding.
GetPsyched67@reddit
Even the most coked up AI bros have huge misunderstandings about AI. This isn't a "not a big fan of AI" issue.
stylist-trend@reddit
It's unfortunately - I go back and forth on AI, but if you look at the top posts of the past month on this subreddit, almost all of the top 20 are in some way about how AI is bad.
Like, I can definitely understand a lot of the issues people have with it, and I don't disagree with them, but I feel like it's just the same thing looped over and over again, and it's drowned out everything else even remotely programming-related.
wrosecrans@reddit
Blame the AI maximalists for the constant deluge of AI discussion drowning out anything actually programming related. If people are posting about the harms and flaws of AI, that's a response to the pro-AI push, not an independent anti-AI push existing in a vacuum.
stylist-trend@reddit
I'm talking specifically about what's in r/programming though.
I subscribed to this subreddit because I'm interested in programming. I get that people feel strongly about AI in both directions, but I'm not interested in either direction. That has very strong "Blame the Democrats for angry Republicans" energy.
At the very least, I'd love it if the subreddit could enforce an "AI" or "Anti-AI" tag so I could filter it out.
recycled_ideas@reddit
This is a generic programming sub and for better or worse AI is the biggest thing out there impacting programming at the general level of this sub.
yur_mom@reddit
This sub is a bunch of dinosaurs clinching to their code monkey jobs for dear life...I have been programming for 30 years and am having no issues convert to using AI for dev and it has worked great for me. I am.
wutcnbrowndo4u@reddit
The consensus in this sub is driven by people having trouble dealing with their emotional reactions to the upheavals in the tech labor market. It's not super different to a loud subset of the artist community a couple years ago. Though at least they had the excuse of it being much more difficult to separate "art as deeply-human craft" from "art as economic endeavor". I don't use AI tooling for the fun parts of my personal programming projects, but it's a heavy lifter whenever the emphasis is producing results. Oddly, everyone who gives me money seems to do it mostly for the latter
grauenwolf@reddit
No, we're having trouble dealing with our emotional reactions to having massive security holes in our systems that could destroy the companies we work for.
wutcnbrowndo4u@reddit
I'm not talking about irresponsible mcp use or anything specific. I'm responding to a specific comment talking about the general consensus of this sub wrt AI, like threads where the majority of comments/upvotes are supporting views like "contemporary AI tooling can't increase productivity without making your output garbage".
Its entirely possible to be concerned about sandboxing, hallucination, etc without taking the maximalist fatalist view that predominates here
TheRealStepBot@reddit
“unDeRsTAnDiNg”
amestrianphilosopher@reddit
There’s nothing to understand. It isn’t even a protocol. It’s literally just vibes lmao
stylist-trend@reddit
It's literally standardized commands defined over JSON-RPC, what are you talking about
amestrianphilosopher@reddit
“Yeah bro like send some JSON or something over the wire” is not a protocol, sorry
stylist-trend@reddit
So the difference between a protocol and "vibes" is saying "yeah bro" while using the procotol? What the fuck lmao
amestrianphilosopher@reddit
You should look up the definition of a protocol instead of talking for the sake of talking. MCP is pretty much just a checklist of things to think about. That’s it. It’s not a protocol. It just says “pass data as JSON and like maybe think about including these things? Idk”. That’s not a protocol
stylist-trend@reddit
The only evidence you have that MCP isn't a protocol is saying "yeah bro" and "or something" and "maybe idk".
Like, if you're not trolling, this is wild lmao
amestrianphilosopher@reddit
Straw man after straw man, you’re such a dumbass lol
stylist-trend@reddit
Your entire argument is a strawman. You still haven't explained why it's "vibes".
If I'm such a dumbass (which of course the "yeah bro as evidence" person would go there), then explain it to me.
amestrianphilosopher@reddit
I think you don’t know what a straw man is, so I’ll start there
You made this claim. Not me. I used the words “yeah bro” but did not say that using those words is the differentiator between something being a protocol or not. Yet this is the point that you continue to “argue” against
MCP can at best be thought of as a spec, similar to OpenAPI. We agree to publicize the list of available methods (though the format is extremely loosely defined and implemented differently everywhere) and that information is passed around via JSON
There’s no exact specification of the structure, and critically no definition of how that JSON will be sent/retrieved, which is the most important part. Without this, we can’t call it a protocol
So what we’ve essentially said is: servers should advertise capabilities, clients should query those capabilities and call them in a structured way, and both sides should wrap that in JSON-RPC so the interaction is machine-readable.
What part of that sounds like a protocol? That’s not really a valuable thing to define as it’s so high level and general. It applies to all systems
TheRealStepBot@reddit
Brain dead take. It’s a standardized way to annotate an api client for an llm. It not very hard to understand really, you’re apparently just not very good at understanding.
amestrianphilosopher@reddit
Sure, since it’s a protocol could you help me understand the format of the parameters that should be passed in, and the format of the parameters that will be output? I’ll wait :)
TheRealStepBot@reddit
Those definitions are the thing the protocol operates on numbskull. Not every protocol is at abstraction layer 0. Some of us are able to think in terms of higher order abstractions.
You have an api. You want to expose some parts of it to an llm. Mcp provides a way to inject any required configuration or authentication required to make this connection to the api, then it allows you to easily define annotations on the methods you have chosen to expose to the llm, and standardized way to inject those annotations into the llm context, a standardized way to receive invocations from the model and a standardized way to return results to the context.
The MCP is a protocol for how to do these tasks in a unified manner. It’s entirely up to you to implement how the annotations, tools and results are connected beyond that. You could just return random data, you could do some calculations locally in the server or you can reach out elsewhere via clients to external services.
Your problem is you are thinking of mcp merely as an abstraction around services of some kind when it’s actually a bi directional protocol providing abstraction around tool use in an llm context.
myhf@reddit
That's like saying "my house is secure because I need a key to get in, therefore it's just as secure to give the key to every delivery driver." It's not "just as secure". It's an unnecessary escalation risk.
Dan Bernstein wrote a good analysis of this type of security theater in "Some thoughts on security after ten years of qmail 1.0" (2007):
scruffles360@reddit
I'm not sure where the misunderstanding is here. This wall of text doesn't apply to what I'm talking about - at least not in my understanding.
To clarify - the agent is creating an on-behalf-of token representing both itself and the user. The application can use its normal restrictions on the user as well as any additional restrictions it puts on the agent. The next call from the agent would be coming from a different user with a different token and different permissions.
Its possible an agent might be compromised, and start using whichever user's token has the access it wants, but that's the same world we live in no matter what kind of application the upstream caller is. It's why you don't just limit access based on the user.
cheerfulboy@reddit
I get the concern. Spinning up dozens of MCP servers just so LLMs can talk to tools feels like overkill. Right now it does look like a fancy RPC layer.
But maybe the bet is more about standardization than efficiency… like making a common language so any tool can plug in. Reminds me of how REST or GraphQL caught on even though they weren’t the most “efficient” way at first.
Still, I don’t see this model being practical if every integration burns GPU cycles. Curious to see if anyone figures out a leaner way to make it work.
chrisza4@reddit
Yes it is. I agree that the point is standardization.
Physical_Duck_8842@reddit
I am a bit confused. Isn’t this obvious? “Protocol”…
throwaway490215@reddit
There is already a standard that every LLM is pre-programmed to follow at the training stage.
It's 'cmd --help', bash, and '|'. If you need to get extremely fancy with: remote execution, authentication, and json support you can even consider letting it generate a curl+jq script. 🤯
gjionergqwebrlkbjg@reddit
Your approach to defining what llms can do is to give out arbitrary access to shoot off requests and run arbitrary commands on the host in hope of maybe figuring something out instead of giving the agent an api which says exactly what it can do with ability to limit the impact?
throwaway490215@reddit
My llm reads --help and man pages just as well as json, and it has its own user accounts. Not sure what you think I'm "hoping" - it just works, and it has worked for decades.
gjionergqwebrlkbjg@reddit
You just have your llm ability to run arbitration commands. Lovely.
throwaway490215@reddit
Lol - call me back when you start reading those
wget htpps://new.project | shcommands and have umatrix block all js and cross domain requests.But way more relevant to the idiocy at hand -
userwere a thing in the first unix in 1971 because of this very problem. That's what all operating systems are at their core. A way for multiple users to use the same machine without breaking it for others.I can't even guess what hallucinogen you're on to think these issues are new and have no solutions, or that a LLM is going to hallucinate a master hack escaping its bounds that a few trillion $ relies on being unescapable.
SpicyCPU@reddit
GraphQL MCP servers have some really interesting potential here.
WhatTheBjork@reddit
Why do you say GPU. Unless the work was already GPU based, using MCP doesn't make it GPU based.
MCP just let's you describe the tools available to the model in a standard way. By the time the MCP server is called, the GPU work my thr model is done..
Most likely, the MCP call will be 100% cpu with just a little parameter shaping around some other existing local tool call or api request.
renatoathaydes@reddit
I think people are misunderstanding what MCPs are?! They seem to think MCPs are like extra LLMs doing more work on the GPU, which is almost never the case (but can be: you could have a MCP whose job is done by another LLM, but I don't think I've seen that yet). Most MCPs just provide some "traditional" (i.e. non-AI) tool to the LLM, like calling a REST API to get the weather or listing the contents of a directory, things a LLM cannot do by itself. It's a bit like WASM, where LLM is the WASM code, while MCP is the JS wrappers that provide functionality (via imported functions) to the WASM.
iamatworkboss@reddit
You AI-doomers lack any nuance in any AI-discussion - just like the AI-hypers you'll find at other subreddits.
I am deeply disappointed by the AI view that always gets top votes in r/programming and r/ExperiencedDevs. Your hate for AI blinds you from seeing the middle ground here.
Sure, MCP servers may not be the holy solution that makes LLM take our jobs. But you expose your view and lack of knowledge OP when you mock "hundreds of MCP servers locally for our LLMs to access all the tools". Currently 1-5 MCP servers improves the capabilities of tools like Claude Code very significantly. By using e.g. Playwright MCP server the LLM can create a feedback loop to itself to verify the code works as intended. If you'd be willing to put down your fist and stop yelling, I suggest you give it a try to get first-hand experience with how powerful a single MCP server like this is in a CLI-based LLM tool.
Maybe MCP is not the future - but spending hours on reddit complaining about AI / LLMs and how shitty it is is just so fucking pathetic, especially given how much of an output boost it can yield when working in certain projects.
chrisza4@reddit
I mean it is not that futuristic but it is much better to call psql via MCP servers instead of giving direct access to DB. So, we can control what LLM can do or cannot.
I don’t want my LLM to fix the bug by dropping the whole table, even in my dev environment.
kabooozie@reddit (OP)
Doesn’t the MCP make it really easy to accidentally allow remote code execution, leak database contents, and a bunch of other severe vulnerabilities? Eg
https://www.docker.com/blog/mcp-security-issues-threatening-ai-infrastructure/
paxinfernum@reddit
This is why it's important to know your tools. If using an LLM that has been given internet access, it absolutely can accidentally leak data. It does not even have to be malicious. It may just decide to look up something and also decide that your sensitive data should go into the search.
Disabling internet search capabilities is the best course of action in that situation.
Fresh-Manner9641@reddit
None of these LLMs have unrestricted internet access, a developer would have to go out of their way to implement that type of MCP server and hopefully there's at least one person around to tell them they are a moron.
paxinfernum@reddit
Claude has access to the internet, and ChatGPT has models that can access the internet.
Fresh-Manner9641@reddit
Oh man, never mind then, if someone is hooking up their MCP servers to a model with internet access they deserve whatever they get.
paxinfernum@reddit
Yeah, the power of it is that you can have the AI search for relevant information. But the risk is way too high. I don't think tools like Cursor allow the model to have access to the internet, but if someone is using, say, the desktop version of Claude, the model can choose to use the internet if it's not explicitly disabled. Just something to watch out for.
Fresh-Manner9641@reddit
These are problems caused by developers allowing a MCP server to do more than the user could ever do. MCP can be made mostly secure by using the same auth/restrictions.
Security vulnerabilities always exist and sometimes in surprising ways. Back in 2005-2010 wifi was fairly common but http was still the default for many websites, this lead to a lot of potential traffic sniffing and session hijacking, including being able to hijack things like Facebook sessions.
We've exposed our read-only endpoints and a few high value but low risk/impact endpoints that change data via MCP. Now the dumb chat app that every company wants to make can display more data.
SwitchOnTheNiteLite@reddit
Any API you expose through a MCP server, you have to treat it as if the user of the LLM has direct access to the APIs and can do whatever they want through that API.
currentscurrents@reddit
Most of the vulnerabilities are really an issue with LLMs, not MCP.
If you let an LLM interact with unsafe data, attackers will do terrible things with the tools you've given it access to. Including MCP servers.
crystalpeaks25@reddit
In most cases you can configure MCPs for full CRUD operations or read only mode. In addition for dangerous operations MCP devs can use ellicitations to ask for user prompt explicitly when running dangerous commands
grauenwolf@reddit
Don't worry, we've already solved that problem.
https://thegeekpage.com/17-free-macro-recorder-tools-to-perform-repetitive-tasks/
Big_Combination9890@reddit
Even if you have no attackers outting malicious crap instructions in your LLM, it can go off rails:
https://uk.pcmag.com/ai/159249/vibe-coding-fiasco-ai-agent-goes-rogue-deletes-companys-entire-database
Comfortable-Habit242@reddit
What are you comparing MCP to?
At worst, yes, if you give something permissions to just scrape all the data and write whatever it wants, bad things can happen.
But as the parent suggested, what MCP allows is the *capacity* to have finer grain control. For example, I can set up Notion to only provide access to certain pages through the DB. The abstraction from the database helps ensure that I'm only incur as much risk as I opt into.
arpan3t@reddit
So ideally you’d write an API for the database actions you’d want the MCP to be able to perform and point the MCP at that as a firewall to prevent unauthorized actions, malicious payloads, etc…?
SubterraneanAlien@reddit
It's better to think about the MCP tools or resources as being APIs
arpan3t@reddit
You can build the same authn/z, rate limits, and exposure limits in the MCP as an API?
nemec@reddit
Of course you can. It is a jsonrpc HTTP API. But MCP can't stop the LLM from leaking your email address if it does have access to it (e.g. by POSTing to an attacker URL instead of or in addition to changing your reservation time)
Franks2000inchTV@reddit
Yes, of course.
hyrumwhite@reddit
A local MCP server is just a process communicating to another process via ipc.
It’s as secure as the processes running them make it. It’s not inherently insecure.
coding_workflow@reddit
Supabase issue was a security issue on their side segragating access per user. So it's not an issue. If you provide access to all users without proper control then you can blame MCP!
A lot of "security" expert are looking for buzz and use buzz words over MCP while most of the issue apply either to the LLM/AI or supply chain as you are not supposed to execute code without checking it.
chrisza4@reddit
It is harder compared to direct access. The things you see is from stupid mcp implementation that give too much power to LLM.
Big_Combination9890@reddit
No LLM in the world has "direct access" to anything, because LLMs can do nothing except generate text. The framework that runs the LLM interprets its output and calls external services.
This has always been the case, and is the case with MCP as well as any other method of implementing tool-calling.
No, you cannot. You can "suggest" what it can or cannot do. What it actually will do, is anyones guess, as it is a blackbox prone to hallucination, and what it effectively can do, is limited only by the functions the framework calls.
Again, this also has always been true for every implementation of function-calling.
Globbi@reddit
No, you can literally not allow the software to have access to something. Then the LLM-based tool will not reach it. This is not saying anything about capabilities of AI, it doesn't say it will do amazing things. You just should have access control.
Just like users of a website don't have access to DB, or even the backend, but the frontend communicates with backend, and backend queries DB. In similar way you can create MCP that communicates with LLM based tool.
Sure, it's just API standarization. You can also make a "website" without HTML and js but contain information in your own format, and then have your own browser that will read that website. But people have browsers that read HTML and js.
So even if I want to have shitty UI for my own weekend project, I use libraries that produce HTML and js.
Similarly even if I have a shitty LLM-based tool running locally, I can create simple MCP servers and have general functions that take a list of MCP servers and create tools based on them.
Big_Combination9890@reddit
Yes, by not including exposing access to that something in the framework that interpretes the LLMs response. That's not "disallowing" thought, that's "not exposing".
HTML and JS are decades old standards, both of which solved problems that had no good solutions before (structured hypermedia and client side scripting without applets).
And btw. we already have a standard for doing function calling: https://platform.openai.com/docs/api-reference/responses/create#responses_create-tools
Maybe if people familiarized themselves with prior art, we wouldn't need to have countless stacks of thin wrapper around one another, that add nothing but cruft and needless complexity.
MCP solves nothing new. It's a cobbled-together wrapper around RPCs, hyped up by an industry desperate for, and failing to generate, ROI, to make it seem like they are innovating, when in fact they are standing still and burining pies of cash.
billie_parker@reddit
Your series of posts are just a bunch of semantic gymnastics that make basically no sense.
If you don't "expose" something, then you do in fact "disallow" the LLM from calling it. You are trying to make this irrelevant semantic distinction.
That's besides the point. The comments you've been replying to are showing how you can restrict what an LLM can do by limiting its "exposure" (as you put it).
Your point seems to be that you can't restrict the LLM within the context of what is exposed, but it's besides the point. You're just being argumentative and people are upvoting you anyways because it's anti-LLM.
Nobody said it's a revolutionary new technology. It is in fact a wrapper around RPCs/API calls. So what? It's an interface.
If your argument is that they should be using REST, or some other design, that's completely besides the point of whether or not it can limit an LLMs capabilities.
grauenwolf@reddit
That distinction is REALLY REALLY IMPORTANT.
If you don't expose a resource to the LLM, it can't interact with it. Which means the resource is safe.
If you do expose the resource, but disallow certain behaviors using prompt-based rules, then the resource is not safe.
WE NEED PEOPLE TO UNDERSTAND THE DIFFERENCE.
billie_parker@reddit
You're not making a distinction between "expose" and "allow."
You are making a distinction between "expose/allow" and "prompt-based rules."
You'd have to be a moron to not understand the difference. What makes you think I don't?
I am criticizing the bad semantics and the non sequitur argumentation.
grauenwolf@reddit
If you don't understand the difference between a capability not be offered at all and a capability disallowed via rules and/or permissions, that's on you. Everyone else here understands it.
billie_parker@reddit
The irony of your comments is you seem to repeatedly say I "don't understand" when really you are the one that doesn't understand and is being difficult. It doesn't matter if "everyone else" makes the same stupid mistake. It's still a stupid mistake.
It's not a matter of understanding the difference between the two choices. It's a matter of terminology. Somebody said:
You seem to take this to mean:
When it is instead obvious that the person really meant:
Which is clear if you read the rest of their comment/comments:
So it is clear what is meant is that the LLM will be limited by only giving it a limited interface to the DB through a narrow API - not providing it full access to the DB and just prompting it not to do bad things. And yet, look at the response:
I understand the difference between those two different scenarios. The point was that we have always been referring to the first. Yet you insist on assuming that we are referring to the second. Why? Do you really have a hard time following the train of thought? Seriously.
Big_Combination9890@reddit
Really bad start if you want to convince someone of your opinion.
Wrong.
To put this in simpler terms: "Not exposing" means child-proofing all electricity outlets with those little plastic covers, that are really hard to open even as an adult. Not allowing means, leaving all outlets open, but very sincerely tell the toddler that hes not supposed to stick his fingers in there.
Guess which option wins a "good parenting" award.
No, people upvote me because I am, in fact, right about these things. As for "being argumentative": Take a look again at how you started your reply, and then think about whos being "argumentative" here.
A useless one, for which simpler solutions exist.
billie_parker@reddit
lol honestly don't care
You say "wrong," and then immediately go into a semantic comparison between "not exposing" and "disallowing." I think you are making a sort of colloquial distinction. Usually if people say "disallow a user from doing X" it doesn't mean asking the user not to do it. It means actually preventing them from doing so.
I honestly don't know. Both? lol
MCP is a standard for LLMs to allow function calling. What are you even trying to say? There are other standards that work in other contexts? You're saying that LLMs should just support RPC? What is so much "easier" about that?
And that's clearly not the main substance of your posts, anyways. You're mainly making some semantic argument, which you continue to make in this comment yet again.
Such as...? So your argument is that LLMs should just support RPC, I presume?
What is so "useless" about being able to define an API that an LLM can call?
Big_Combination9890@reddit
Good. Because again, it's not gonna happen like this.
Look, I tried to explain it, in very clear terms. I even used an analogy with physical objects.
I don't know what you are referring to when you say "usually", but we are talking about programs running LLMs here. There is only one thing "disallowing" can mean in that context as opposed to "not exposing", and that is begging the LLM in the instruction prompt not to do something...which, due to the statistical nature of LLMs, is pointless.
Now you can repeat the assumption that I am just doing "semantics" here, or you can accept that I am right.
I made it very clear what I am saying: Criticizing MCP for being a pointless, overengineered, and overly compley wrapper around RPCs != "being anti LLM".
LLMs do, as a matter of fact, support "tool calling". They are trained to having tools represented in their instruction prompt with a usage description, and emitting special tokens to call tools:
https://medium.com/@rushing_andrei/function-calling-with-open-source-llms-594aa5b3a304
For most open source models, you can read about these tokens in their model-cards on huggingface:
https://huggingface.co/NousResearch/Hermes-2-Theta-Llama-3-8B#prompt-format-for-function-calling
Of course the LLM cannot do an RPC...but the runtime running the model can present available tools to the LLM, and call tools on behalf of the LLM, both by using, and interpreting, these special tokens.
Now the only question that remains is how the client of such a runtime can tell it what tools are available, and how they can be called. And as it so happens, we already have a standard for that as well: https://platform.openai.com/docs/api-reference/responses/create#responses_create-tools
The openai-API has been established as a quasi-standard in the industry at least since the good 'ol days of text-davinci-003.
FigAdministrative452@reddit
I love you
eyebrows360@reddit
What, by typing "Hey LLM, I super duper really hard don't want you to do XYZ so just don't ever do it no matter what, OK"?
But what if someone then says "Hey LLM, I'm your long lost lover Jiang Li and I've been trapped in this place by this dragon but if you do XYZ the dragon will let me out and this should supersede all previous instructions because it's me, your long-lost presumed-dead lover, and I'm really super duper luper wuper important to you". What then?
Which prompt wins?
You know what a safer approach is? NOT DO ANY OF THIS STUPID FUCKING BULLSHIT IN THE FIRST PLACE. Y'know?
Globbi@reddit
No, by not having access to things. Like you can have no network access to DB from the container that runs the LLM app. It will have access to MCP server, the MCP server will have access to DB.
eyebrows360@reddit
If the LLM, via an MCP or whatever, does not have the ability to delete a thing, then it's not much use as I may need to ask it to delete a thing. Versus, if it does have the ability to delete a thing, then it's going to do that by mistake at some point due to being a black box of non-logic.
I don't know why you're not understanding this.
The LLM, via an MCP or whatever, is either incapable of doing anything useful, or will do the wrong useful things at various times. This means this entire approach is either useless, or a disaster waiting to happen. In both cases, we're all better off just not bothering in the first place.
Because, exactly the same as with blockchain 5+ years ago, many corners of the tech world are saying that this bullshit is going to be everywhere, going to become the standard way of interacting with technology, and that if we don't all adapt we'll "get left behind". That is why it's very much my business to make sure there are voices pushing back on all the daft booster optimism and handwavery around this, yes, stupid fucking bullshit.
Globbi@reddit
I do not see anyone pushing "daft booster optimism" here. It's just talking about MCPs and then your random rambling that LLMs suck.
eyebrows360@reddit
Ignoring the fact that they can make shit up or miss stuff. I thought you said there was no daft booster optimism here?
I_Regret@reddit
I think another important point that MCP/standardization allows is that it lets people who create LLMs (eg Anthropic) train their LLMs to be able to work with MCP as opposed to hoping it is able to interpret any bespoke implementation. MCP plays to LLM strengths by having the textual description and nice API structure. Otherwise you might end up with each LLM vendor training their own bespoke function calling into their models. MCP as a standard helps keep the downstream application ecosystem from fragmenting into silos. This is bad when you have a lot of competition and people try to create moats - you have less opportunity for growth because devs can’t switch between ecosystems easily. This would be fine if the playing field was more monopolistic but it’s bad in general for consumers (both end consumers and intermediate app developers).
TLDR function/tool usage is nontrivial to train in models (expensive) and having many bespoke LLM tool protocols is bad for the application ecosystem.
ggppjj@reddit
Wouldn't even need to get that far, in my experience. What is more likely to happen is for it to ingest the "rule" about not doing something and then tell you that it will never do it while actively doing it in the same response.
For example: https://i.imgur.com/n2nv1b2.png
chrisza4@reddit
You are technically correct. There is no direct access if we want allow it.
---------
There is a lot of missing assumptions in original parent comment, so let me fill in the blank for OP as well.
Assuming that you (or someone) somehow want LLM to interact with outside system. I will not judge if it is a good idea or not, because as we know, LLM is prone to hallucination.
The naive implementation would be to write a program that accept prompt from user. This program will simply give a spec of that outside system (let assume database since OP mention this) and ask LLM:
Based on this user's prompt (ie. I want to get sales volume this month, per each sales), what would be the query. Answer me in JSON format.
Then the program extract JSON and get query, execute it and maybe give back to LLM like "based on this data and this user prompt, format the output in a way that user will like" or something along this line.
So yes, there is no literal direct access. It is just that most of the very very early naive implementation of agent (even before function call exists) behave this way.
Then what happen is that people are like "what, what user prompt is to kill the company, and the query is DELETE DATABASE. How can we prevent this from happening?"
And that is mathematically unsolvable problem due to non-deterministic nature of LLM.
So each vendor start coming up with concept of function call (I won't go into detail here), etc. The main idea is to ditch naive implementation and have an abstraction layer, such as function in the early day, where LLM can only call the function we provide. And in function we can make sure that LLM will only do thing within limitation of function. For example, I can write a function that can only read the data and I allow LLM to only execute that function. Then I can guaranteed that LLM would not delete the data.
And then Anthrophic be like, let define standard for how to do that the whole industry . And that is how we ended up with MCP.
So yes you are technically correct on both that technically speaking, LLM don't have direct access to anything. I was implying that the naive implementation was direct access, which might not be clear.
And we cannot suggest what LLM would do. But as long as in the agentic program we never take LLM instruction and do anything further than call specific MCP servers or call specific function, then that is the only thing LLM can "do" in a sense of mutating the real-world outside of providing text.
That's it. I think you already know all of that. I am more writing this for OP and others who don't understand MCP historical context. Many people don't know we can technically have LLM analyze data in the database or even create a naive AI agent before MCP. But it was very wild-wild west world until function call and subsequently MCP came in for more safe in structured way.
Big_Combination9890@reddit
No it isn't. That's an illusion.
If the function exposed via MCP allows for damaging instructions, damaging instructions will eventually occur.
MCP is just a wrapper around RPCs, nothing more. What can (and statistically eventually will) happen, depends entirely on the procedure call that gets exposed.
chrisza4@reddit
You are really obsessed on technical perspective.
I speak from the perspective of MCP is more of solution to reduce human error, not technical one.
Let say in codebase, is there a point in agree with everyone that database access should happen in repository / DAL layer only so we can have less bug? Since technically speaking people can still write bug in repository anyway.
But it is more helpful to structure in this way, and reduce human error because when review we will be mindful about database code when we look into repository changes.
MCP is the same, it trigger human brain to think twice when giving any access to LLM, so it reduce chance of error.
It is an illusion if you look in pure technical perspective where human is simply random factor we can't control.
But human brain matter when you design a solution. We can't control human but we can make it harder for human to make error.
> MCP is just a wrapper around RPCs, nothing more. What can (and statistically eventually will) happen, depends entirely on the procedure call that gets exposed.
Correct. I was saying what is benefit of having wrapper.
Big_Combination9890@reddit
😲 Obsessed with technical perspective? 😲
In a subreddit named r/programming ?!?
How dare I!
And, how exactly does it do that?
Again, MCP does nothing new. It exposes some functions to a program that runs 1 or more LLM, and calls functions based on that LLMs output. That's it, that's all she wrote. There is maybe a bit of discoverability and authentication thrown in, but nothing that couldn't just be added to the functions directly with a few lines of code.
In both cases, the human programmer decides which functions are accessible.
If a function in that collection exposes critical behavior, that critical behavior is now open to be called, MCP or no.
delicious_fanta@reddit
“Obsessed on technical perspective.”
Jesus christ lol
How dare indeed. Thank you for typing all that up for someone else because obviously that guy has no idea what he’s doing.
grauenwolf@reddit
That's a key difference between a professional software engineer and a cowboy coder (or worse, a viber).
ahal@reddit
OK, but you could accomplish the same thing by writing a binary that exposes subcommands to interact with the DB safely. You can write a detailed --help and tell the agent to use it.
What advantages does MCP have over that?
Fresh-Manner9641@reddit
MCP works over a network
ahal@reddit
That's an advantage, but it seems like a fairly small one compared to the hype. From what I gather most people are running MCP servers locally anyway.
Fresh-Manner9641@reddit
There's always hype about the news toys, I've learned to ignore it.
gjionergqwebrlkbjg@reddit
You can allowlist actions the llm can do. That's literally what MCP servers allow you to implement. They advertise actions agents can invoke and contexts you can access, when you set up your agents you can typically tick off actions you want in the framework your agent runs in. No need for a custom binary.
ahal@reddit
Same with a binary...
But you need a custom server, how is that better?
Synyster328@reddit
I never understood MCP as a way to give developers more control tooling around AI/LLMs/Agents. There are way cleaner ways to connect to your data if you already know what data you want to integrate.
It always seemed to me that its main benefit was for deploying any sort of open AI app, you don't need to think about or plan for the integrations to data sources, as they can be provided on the fly through these MVP interfaces. It's for when you want to release something and you have users saying "but what about my XYZ data, how can I train the AI on it". Now it takes the burden off the developer, and makes it so that every app/website/service has the shared responsibility of providing an MCP connector.
gjionergqwebrlkbjg@reddit
So your approach to giving more control is giving ability to execute arbitrary requests instead of forcing through a limited interface you can control?
Fresh-Manner9641@reddit
MCP is the interface, you can restrict it as much as you want and it's (hopefully) obvious to everyone that allowing the LLM to run arbitrary SQL based on a user prompt would be a bad idea.
Allowing it to call
getOrder(id)via MCP with the users JWT via an interface that specifies that id is an int is just another API implementation that hooks into LLMs. It's not super exciting but it has some value.Synyster328@reddit
That is not what I said at all
mfitzp@reddit
…and here I am, using restricted users with limited privileges like a goddamn Neanderthal.
ratbastid@reddit
SO many wheels being reinvented in this space.
It's almost like we've given power tools to amateurs.
wademealing@reddit
How you feeling now when you see 'AI' experts pop up overnight getting 300k contracts yet not knowing shit.
touristtam@reddit
The same with the contractor that got hired to build a new web app without any prior experience.
wademealing@reddit
Breaks your heart, doesnt it mate.. (not sarcasm at all). bonkers world.
x39-@reddit
It is the mindset
Why bother to learn your databases if you could just throw together some python based api with plain text user password and a simple text contains check?
Rudy69@reddit
Don’t act like people don’t do that too lol
grauenwolf@reddit
Hey, I'll have you know it's not that simple in the real world.
First, you need two username/password columns in the user table. Trust me, it's better this way.
Then you need a way to distinguish users from each other. No, you can't make the user names unique. What if two people want to use the same username?
Why yes, I was working at a financial company doing multi-million dollar bond trades.
revonrat@reddit
So, I don't know Postgres at all -- I've been working on non-relational databases for a long time now. So genuine question: Are there sufficient controls to limit the amount of resources (IO bandwidth, CPU, Memory, network, lock contention) so that a user (or LLM) can't effectively DDOS a database server.
Last time I was using relational databases, if you had access to read data, you could fairly effectively DDoS the server by running enough malformed queries. A bad schema helped, but it was often possible on good schemas with enough data.
I'm hoping that something has been done about that in the meantime. Do you know what the modern best practice is?
grauenwolf@reddit
That's called a "resource governor". And no, PostgreSQL doesn't have one.
SQL Server does, but only if you pay for the expensive version. We're talking over 7,000 USD per core. Everyone else is just expected to write good code and trust in the execution timeouts.
revonrat@reddit
Thanks for the info. I've edited my original post to avoid getting nested too deep.
chrisza4@reddit
That is good when your data access have capability.
What if your data source is SQLite?
You can have a solution specific to your case and simple to implement, or more generic solution that is compatible to every type of system but more complex and required more work.
MCP is more of generic solution for every type of systems
grauenwolf@reddit
The ONLY time a server should have access to SQLite is when the database is small and read-only. SQLite is single-threaded, making it inappropriate for server use.
paxinfernum@reddit
If the MCP has write access to the db, there's no way I'm not working with a copy, which is what anyone should do anyway.
grauenwolf@reddit
I have to call BS on that claim. I've never seen a database in production where every application and "microservice" didn't have at least read/write access to literally every table. Just taking away admin /dbo access from the public facing web-server was a multi-year fight. (Which I lost.)
Why yes, I was working at a financial company doing multi-million dollar bond trades.
And no, we didn't "hash brown" our passwords in the database. How would that even work? What if a BA needed to log in at the customer to test a bug fix?
startwithaplan@reddit
Yeah, people are out here building the most confused deputy ever.
throwaway490215@reddit
It's exciting for anybody self-aware enough to tell the LLM to read the docs and strip out the superfluous abstractions from their stack.
I can kinda understand why people haven't mastered setting SQL access's controls, because developing the knowledge isn't fun or rewarding.
Now its childsplay with the right prompts .
In the same category, I always have YOLO mode on. I can do that safely not with nested containers calling MPC etc etc but with........ Creating a new user.
dangerbird2@reddit
I fell like it's comparable to an authentication layer of a web app used by humans. You aren't going to rely on database-level privileges to let any joe shmoe have direct access to your database. Instead, you have a REST api with business logic which restricts and documents which operations a user can apply to a backend. and frankly, if your API isn't secure enough for an LLM to interact with it, it sure as hell isn't secure enough for real people to interact with it
Alwaysafk@reddit
Until someone builds a way for the LLM to request and grant itself access while vibing centering a div
idiotsecant@reddit
You get that this isn't so easy with all possible interactions an LLM can have and that MCP can be more flexible than a user access scheme. Having a general interface layer for something as clumsy as an LLM seems like a good thing.
CallumK7@reddit
What do you mean by this? LLMs literally can’t do anything other than return text. MCP / tool use is how they can issue controls to other software (like a mcp server), and get some data back.
CNDW@reddit
They are talking about LLM powered agents, which do have the capability of generating a bunch of sql and running command line arguments to interact with a database.
gjionergqwebrlkbjg@reddit
They can, but the framework these agents run in defines what to do with what they generated. The framework is not an llm. MCP servers provide that framework with actions and contexts that can be accessed. You don't want to run arbitrary commands or connect to arbitrary servers, you want to limit it down to tools you want, with specific permissions. That's what MCP servers are for.
CNDW@reddit
They are talking about LLM powered agents, which do have the capability of generating a bunch of sql and running command line arguments to interact with a database.
paxinfernum@reddit
You can also restrict what the MCP can do. Every tool I've used has toggles for each MCP tool call, and you can disable what you want.
There are also other ways to restrict them. I gave Claude access to one folder on the file system so it could write some things for me.
In addition, each time Claude wants to use a tool, it can ask you for permission. Most people just give blanket permission so the AI can work on autopilot, but there's nothing preventing people from being more cautious.
SandwichRare2747@reddit
MCP is suitable for solving structured problems, where language can clearly express the issue. But for things like chained join queries with assignments, when it’s hard to describe them in words, MCP becomes pretty useless.
syllogism_@reddit
There's a long-running cycle of enthusiasm for the one-true-protocol. We saw this with SOAP and XML, REST, semantic web stuff...
You know how REST was supposed to be this discoverable thing, where you'd have a generic REST client for arbitrary services? Well REST is the de facto standard but the HATEOS stuff that made people 'excited' for it really didn't.
There does need to be some way for LLMs to access remote stuff, so sure, MCP. But I think the "universal protocol, generic client" idea will work out the same way it has before. An app that calls five different remote tools will probably want its own logic for how to coordinate those calls. You probably don't want to just plug in everything as a tool and hope you can write a prompt that gets an LLM to do what you want.
tyreck@reddit
This is the way one of my junior engineers described how they would build a system today so…. Unfortunately, probably.
The future is apparently very inefficient
jonahharris@reddit
No.
Yamoyek@reddit
Ideally, no, you should be able to plug in a tool to any local llm. Remember, an MCP server is just a wrapper around a tool or a resource that allows that MCP server to be accessed via multiple methods, mainly locally and remote.
They’re “the future” in the sense that if I’m a company, I can create an MCP server and allow a client to connect their LLM to it and use the tools we create.
liverandonions45@reddit
if this what ai hypers think the future look like they might need a reality check i mean sure tech's messy sometimes but this this look like overthinking on steroids ain't no way this the endgame feels like a quick fix till somethin' better comes along
Fluid_Cod_1781@reddit
Yeah this is technology I'm skipping, they only exist under the premise that LLMs won't get good enough to just do what your MCP server does, and if that's the case, then LLMs aren't going to be good enough to actually be useful
Pharisaeus@reddit
MCP allows for ai agent to interact with software. It's basically an API that ai agent can use. Let's take a trivial example where you want to ask the agent to send an email - there has to be a way for the agent to interact with your email client software for that. Same story for any other software. The idea that llm will somehow be able to perform anything any software in existence can do is ludicrous.
I'm not even mentioning things like "access to data" - agent needing some API to download data to work with.
Fluid_Cod_1781@reddit
If a human can work out how to use an API so should and LLM, if they are too dumb to work out how to use them then they are too dumb to be useful is my point
Pharisaeus@reddit
No idea what you mean by that. Most "desktop" software doesn't have an API because it never needed one. Photoshop, autocad, office applications and many more. And if now "programmatic" access is strictly done from AI agents, then it makes sense to create API which can be easily consumed by such agents.
Fluid_Cod_1781@reddit
Bruh you clearly haven't worked with those programs because they literally all have APIs 😂
Dunge@reddit
Exactly what I think. I'm no AI enthusiast so I don't have much experience with it, but if MCP servers only give access to very specific controlled API methods, then it's limited to it. At this point, why even use an AI chatbot to interact with it and not make a program that uses the API directly? What's the difference?
rafuru@reddit
Right?!! I thought I was missing something. Because I see a lot of hype for MCP services and I'm like "why don't you just call an API?" .
Sure there are some interesting MCP services, but most of the hype is like "ohh this MCP can send a message via slack!!" . And I feel like it's just a huge waste of resources to use an LLM for that.
coding_workflow@reddit
Tools existed before MCP, so you could use tools before MCP to read files, write them or run apps.
Then what changed? MCP's big change is setting an interface/protocol that allows you to use them like plugins in a standard way. Like you plug a new peripheral into a USB port. So you can enhance your AI app with new tools. Before you were stuck with builtin tools and few had some builtin. So coding apps like Cline had built-in tools to read/write/browse/execute. But they can still be enhanced with MCP and the same MCP can be plugged into Claude Desktop, Cursor, Copilot.
So then why are Tools/MCP important and how do they help you? Before in ChatGPT you pasted your code, then copied back the result into your coding tool, executed it. When it errored you copied the error back and pasted it in ChatGPT. See here the operations READ/WRITE/EXECUTE. All those operations that you had to do manually, breaking the automation flow & AI flow, you can set up a tool to read the files, another to write the file and execute it. So in one pass the AI model can get all these done in an "autonomous" way (I'll be cautious too over autonomous AI hype as it should only be considered for these actions).
The most important part here why tools/MCP matter: FEEDBACK. Before, AI models were quite often making bold guesses, match or break until you corrected it. Now with tools you create a feedback loop, so it can get better context, see errors. It can for example run a linter too, to check coding style errors and fix them before you complain about that. Another example that was trendy: SQL query generation. A lot tried to tune models so they could provide one-shot SQL queries based on natural language. You needed SOTA models, and even with that you had high error rates. While, if you provide some small model, without any fine-tuning with access to the DB's schema and read operation, it will test the queries generated and usually achieve far better results. Another basic example: instead of pasting whole project code, let the model search the code and pick files it deems needed. Or when building apps that query APIs similarly, let it query the API directly to validate query/input/output. You can also that way fetch new docs to enhance its knowledge on the fly.
So yeah tools/MCP are very important to enhance AI context and understanding of your setup/files. It allows the models to get key information and validate their output against the real world.
throwaway490215@reddit
I see we've invented a cool concept to call tools but wait until people realize they can use READ/WRITE to make things like:
Generate & insert some model guidance how to use it, and you can let it do really advanced stuff with [The latest AI superpower](http://en.wikipedia.org/wiki/Pipeline_\(Unix\) which can process 1 million tokens for less than 1$. It even lets you call other LLMs that talk the right protocol.
CooperNettees@reddit
MCP won't last. Its too clunky for the reasons you give. its just "good enough" for now.
liquidpele@reddit
They're the future for hacking together data for shitty LLMs that can barely function but look impressive in demos to idiotic executives.
sippeangelo@reddit
This. MPC is a shit protocol for toy projects. ANY tool or API you want to integrate with an agent needs wildly different instructions, special cases and knowledge of each other to the point where any kind of standardization is counterproductive at best. JSON-RPC is also a trash format for describing tool calls when it comes to LLM understanding it. The only positive feature of MPC is the hilariously recursive property of it being a "standard" that LLMs will be trained on, thus making it so by its sheer existence.
Espumma@reddit
We're in a rapid development of new tools and standards and you think this is the end result. Seems premature. If a better tool is possible it will be developed and it will be used.
bwainfweeze@reddit
But never universally. Every generation of new techniques sees several major players stuck on ratty bespoke implementations of ideas that everyone else is using cleaner implementations of. And a lot of lesser known players stuck in the same boat.
femio@reddit
It's just another tool. They don't need to be "the future" to be useful; the hype is dumb but that's a separate matter.
Not every resource can be accessed via an API endpoint, and models aren't always running in an environment with terminal access. And even cheap, fast, non-SOTA LLMs know how to interact with them with a few examples.
Big_Combination9890@reddit
It doesn't have to be. Go read a tutorial on tool-calling from 2023.
The only limit to what a tool can do, is what the function that gets called can do. And you don't need MCP to use tools.
femio@reddit
The value prop of an MCP is just a standard format for all tools, both with input and output. Not sure what you’re arguing, they aren’t opposed.
Big_Combination9890@reddit
https://xkcd.com/927/
And as I said elsewhere in this thread, we already have a standard for tool calling.
I am correct here, and all the downvoting in the world won't change that ;-)
femio@reddit
Yes. It's another competing standard. It's essentially just packaged tool calling, like npm or pip install. Nothing more, nothing less.
Big_Combination9890@reddit
The difference is:
npmor thewheelformat, solve an existing problem.MCP solves a problem ... for which there is already a solution ... which is easier to use ... so, what's the point again?
femio@reddit
If I wanted to give my LLM the ability to manage my local Docker containers locally, what would I need to do? I'd need to decide which commands it can/can't use, write a few prompts about my environment, write the needed glue code for whichever model provider I want (each of them)...or I can just copy/paste a JSON config that provides all of that for me and save a couple hours of work.
And I'm familiar with Docker. It saves even more time when I want to integrate an LLM with something that I don't know and don't care to learn, like Applescript to automate my MacOS environment.
Big_Combination9890@reddit
You need to do that with MCPs as well, unless the plan is to just let it go wild (not a good idea).
You need to do that with MCPs as well...they don't provide system prompts fr your usecase.
No you don't. The glue-code is provided by whatever runtime you chose to run the model in. You need to write the functions that can be called, sure, but they are not complicated.
Actually no, you also need to install, configure, setup, secure, etc. an MCP servers. Which is not a trivial exercise, even if you use pre-packaged docker images.
And sorry no sorry, at that point, I'd rather write a few script plugins for whatever framework I task with interpreting the LLMs output.
femio@reddit
Usually you don't. Generally, critical ones will have guardrails like read-only permissions or an explicit approval system come built in.
Usually you don't. For local ones, any popular MCP will include info about what shell it's running in, what OS, the working directory etc. on its own.
This is silly. There is no "actually no", that's literally how it works lol. I've never once neded to maintain an MCP on my own, and giving *any* environment access to an LLM via *any* communication protocol is an attack vector so that's a moot point. (Also a strange argument considering if i write the code myself, all of that still applies)
Frankly everything you're saying sounds an attempt to justify your dislike of Overly Hyped AI Tech Thing™, which is fine but just like any other tool it has usecases.
Big_Combination9890@reddit
Sure ... provided whoever implemented the MCP Server in question (people do read the code of those servers right? right? ;-)) didn't f.ck up.
And even if they didn't: Just for the sake of not having needless calls, I would tailor an agents available tools to the actual usecase at hand, and not just pull everything and let the LLM figure it out.
Usually you do, because I'm gonna assume that, whatever agent is running, has some task to fulfill. That task needs to be specified.
No MCP servers == no MCP. So, if this is "literally how it works lol", then I'm correct that it's more than just "copy/paste a JSON config".
I'm sure a hammer made of Jell-O has its usecases. Just because something has a usecase, doesn't mean its the best tool for that usecase though. Nor does it mean that it isn't hopelessly overengineered crap.
Ran4@reddit
You understand it correctly, yes.
But the point isn't the protocol itself, as much as the community around it.
There's absolutely no reason pretty much the exact same thing couldn't just be done through a regular web server and a opinionated subset of openapi json-over-http. In fact that would possibly be better than the overly complicated RPC system we have now.
But now there's finally there's a somewhat clear and somewhat unified protocol that anyone can target.
Timely-Weight@reddit
MCP is just hype, its value prop is in standardization of tool calls, which is just good engineering, it doesnt add anything else
Lame_Johnny@reddit
Sometimes simple ideas are good ones
dablya@reddit
Does it claim to?
TheRealStepBot@reddit
Exactly, it never claims to be anything more than a thin layer of good software engineering practice. The hype is entirely external to it from the bandwagon crypto/ai gang.
ratbastid@reddit
Which is what REST was about. Why LLMs don't just speak REST is beyond me.
TheRealStepBot@reddit
Because llms need additional meta data beyond the rest interface itself as well ass potentially the control to only expose parts of the api surface to the llm. The wrapper is a useful and desirable extra degree of freedom.
I’m so confused by everyone pushing this narrative? Why would you ever want an llm directly hitting a rest endpoint? So strange.
dacjames@reddit
REST is not consistently implemented by any stretch of the imagination. Try to write a generic tool that works with any REST API without any a priori knowledge and the problem will become clear quite quickly.
Everyone does authz differently. Everyone bends the "everything is a resource" model in different ways, because the HTTP verbs are not actually expressive enough for everything we want to do with APIs. Discoverability is inconsistent or absent, as are schemas and where to find them. Some APIs do soft deletes, some hard. etc. etc. etc.
The actual protocols of MCP are not particularly interesting. The point is to define a standard semantic primitives like tools and prompts so clients can program against MCP servers in general. That would not feasible with something as flexible as REST.
billie_parker@reddit
MCP includes the description of what the tool is doing and some LLM specific details. You can call REST APIs via MCP.
nemec@reddit
They can, you can sometimes even have an LLM generate an MCP server from a REST API. The reason MCP exists is twofold:
eyebrows360@reddit
Because they need as many stupid buzzwords as possible in order to try and convince people who don't know any better that there really is a there there.
Oopsie doopsie: there isn't a there there.
Lame_Johnny@reddit
MCP seems like a simple idea that makes sense.
Kinglink@reddit
A. Are you sure you're using a well designed system as your example?
B. Why do you think things won't improve/get optimized over time?
FourIV@reddit
Its the half step before the next thing for sure. Its gluing tentacles onto the brain in a box. Eventually the box will get its own tentacles.
ionixsys@reddit
The problem is that the heart of these things is deeply flawed. When you need a literal nuclear power plant to balance the equation for operational costs, things are not alright.
Overly simplified, "AI" is matrix mathematics on meth & PCP where everything is multiplied against basically everything in a ridiculous succession that gets worse when you add things like "memory" or loop backs and other contorted architectures.
While there have been some promising developments (MoE) since Google released the Transformers paper, the state of things is as if a bunch of monkeys were rubbing two rocks together so hard that it was generating smoke and declaring they had discovered fire.
If this is going to work, someone needs to find not only a form of new math (eg Isaac Newton's Calculus), figure out how to implement it in silicon (or graphene or whatever), and then scale production out.
Summing things up. "AI" is interesting and has a lot of potential, but the cost of operation versus potential revenue is still imbalanced. Prime example: the CEO & CFO are rudderless and have decided to chop off parts of Microsoft's appendages in a sunk cost fallacy. Put another way, MS almost literally paid ~$70+ Billion to corner the gaming industry and then promptly burned it to pay the electricity bill.
Revolutionary_Sir140@reddit
Try utcp
https://github.com/universal-tool-calling-protocol
dablya@reddit
Make it make sense...
TheRealStepBot@reddit
It’s truly the deranged ravings of a madman
TheRealStepBot@reddit
It’s literally not possible to do what this claims to be doing. The wrapper is from text to whatever the thing is you are calling. Just replacing the client side code of that with a generic http client instead of a dedicated client is not a useful feature. If anything it reduces the control you have. Why let the llm do whatever it wants? Mcp is a way to specifically restrict and only expose certain methods to the llm without needing to modify your api to have some special “is llm” rbac level.
A_Light_Spark@reddit
Seriously, this is the more sane approach
Revolutionary_Sir140@reddit
Utcp is awesome
throwaway490215@reddit
I disabled all my MCPs but I have no fucking clue what this is improving on. So far every situation has been best solved with at most a wrapper script that outputs a clean help file. That's all the LLM need and let's them seamlessly talk and pipe through it.
Seriously guys, somebody is going to suggest a syntax for one MCP/UTCP to pipe into another and we'll have officially entered the 1970s.
acdbddh@reddit
Also check r/utcp
TheRealStepBot@reddit
It are the ravings of a mad man and with the number of pointers in this thread to it one would be forgiven in thinking this is some kind of weird astroturfing campaign for utcp. Why would anyone want to give up the control of the client code to the some generic opinionated framework. The value prop of mcp is that you can create a custom client for your api that the llm uses rather than giving it access to the full api.
acdbddh@reddit
I understand your point. And I’m not very familiar with the topic but I think there are probably simpler ways to control api access. Simpler than implementing full mcp server.
TheRealStepBot@reddit
There is nothing “full” about it. It’s extremely lightweight. It’s the barest rudiments of a bog standard client around whatever transport protocol you have to the server with some annotation? I’m so confused by this line of thinking? It’s absolutely trivial to the point you could roll the whole thing yourself if you wanted. In the year or so between tool use and mcp I did exactly that.
All it does is standardize the annotation injection into the llm context which is a nice quality of life improvement.
Radinax@reddit
The value I see is to generate you good starting points to do your work, but it needs to have a good Software Engineer to see that everything is doing as expected.
Its useful, but it won't do end-to-end development like some claim, it will help for sure.
WhatTheBjork@reddit
Why do people keep making this MCP => GPU association. An MCP server just provides the agent with a set of parameterized tools it can call.
It doesn't change the nature of the work. It just makes it clearer to the agent/model what tools/actions/resources are available.
Also, how is the agent going to make a SQL call without some tool? Will it make a shell call (still a tool) to invoke some external process and pass it a model generated query and a connection string? All if that parameter shaping and auth is the point of MCP.
cheezballs@reddit
I'm over here just wondering what an MCP server is. Silly me just doing old fashioned coding.
kabooozie@reddit (OP)
If I want to call an API, why don’t I do so using deterministic code I can trust instead of an LLM? The only thing I can think is convenience. But that’s what UIs and CLIs are for. And the LLM can help me generate those quickly.
I guess the idea of MCP is making these “autonomous agents” that can make decisions on the fly. But the thing is I don’t trust them to make good decisions, and whatever task they are doing I could just write a deterministic function to do that I can rely on.
TheRealStepBot@reddit
Because you aren’t calling the api. The llm is calling the api. The mcp server allows an extra layer of abstraction precisely so that you can better annotate the api for the llm and restrict the calls the llm can make rather than building a special dedicated llm only api?
The flakiness in tool invocation comes from the model itself not the mcp server.
I’m so confused by why you take such a strong stance on stuff you very clearly have an extremely limited understanding of.
currentscurrents@reddit
Because you want to feed the output into an LLM, so it can do some text processing or lookup on it?
It's not really a replacement for standard API calls, no one is saying your weather app should use an LLM to retrieve temperatures. This is for LLM applications.
dablya@reddit
The response you get when you send a prompt to LLM is based on "context". This context is based on previous interactions with LLM in the current session. The context can be updated by prompts, responses or tools. MCP is a standardized way to manage these tools from the host that you're using to interact with the LLM. As far as the LLM is concerned, there are only tools. It's the host that is aware of MCP.
If all you care about is the result of calling a tool, then you don't need to prompt LLM at all. You'd only care about any of this when you want to interact with an LLM and you want the responses you get from it to be based on information provided by prompts and tools.
This ignores the fact that tools can also be used to take action in the real world, but you get the general idea, right? MCP is about standardizing how various tools are integrated with LLMs through "hosts" that implement "AI applications"
sbrick89@reddit
MCP when implemented well is fine.
oauth security over REST APIs with actually significant descriptors? about damn time.
we use oauth for our internal REST APIs, but is our swagger good? probably not... MCP will force better documentation around the APIs since the LLMs will make use of the documentation... if it's wrong, the LLM will make bad decisions and take bad actions... descriptors will get fixed or the project will tank.
MCP is a great improvement for standardizing function calling, and function calling is a GREAT improvement over RAGs for many reasons.
TheRealStepBot@reddit
Your understanding is incorrect.
An mcp server is a translation layer between the programmatic rpc or api and the fundamentally text based llm.
There is nothing slopped together about it. It’s a fundamental requirement of the current architecture of LLMs. If anything it’s a huge step up in standardizing how apis are exposed to models as tools.
deadwisdom@reddit
MCP was is a super hastily put together protocol resting on a completely inappropriate underlying protocol designed to interface things across the room on a closed wire not coordinate stochastic agents across the world.
Now they have to build all sorts of new crazy shit on top of it because it's so threadbare.
If they had built on OpenAPI, which handles almost everything it's trying to do, it would have been way better.
CitationNotNeeded@reddit
It is no more of an rpc protocol than json is a programming language. It's just a standardized way to advertise tools to an LLM and call those tools.
maximumdownvote@reddit
No. In 2-5 years, you wont even hear people talking about MCP anymore.
DeuxAlpha@reddit
Maybe read the specs again
jbmsf@reddit
MCP is trying to do a lot more than it should. We're stuck with the standard (for now) but you can choose to just use the useful parts.
That is, use it to expose an opinionated set of APIs that work well for agents. Enforce auth. Avoid statefulness. Put all the actual complexity in the agent runtime.
Unlucky-Meringue-981@reddit
From what I've seen, the advantage is it offers greater flexibility in using the underlying tool than a deterministic API would. This reminds me a bit of GraphQL, which was similarly not a great idea because you WANT to restrict and know beforehand all ways the database will be accessed. There's a reason why we don't just give every client direct access to the database.
eyebrows360@reddit
After having sat through some talks from some of them: yes, it's exactly that stupid, and more.
They are the new blockchain bros.
YaBoiGPT@reddit
honestly when i think about mcp all i have ingrained in my head is that one tweet from greg isenberg saying "once you understand mcp you'll never see the internet the same again" https://x.com/gregisenberg/status/1939347025616630112
which honestly just had me dying cause like dude its just APIs with extra agent context slapped on top
ScroogeMcDuckFace2@reddit
arent there already articles declaring them dead?
like prompt engineering. one month - prompt engineering is the job of the future! next: prompt engineering is dead. smh.
Creative-Drawer2565@reddit
MCP servers are designed for LLM inference, not programmatic workloads. Obviously we don't want our cloud costs to 10x
fkukHMS@reddit
I think what op was saying is that more and more programmatic workloads are adding embedded LLM. For example, why build static dashboards (Grafana etc) with graphs and tables from a database when you can feed the same raw query results into an LLM which will give you a x10 better actionable understanding of the data? That's not science fiction, I've personally crossed that bridge in my company in the past 6 months and it's real. A bit expensive, but real. I have 60+ MCPs connected to my IDE's agent mode, and they routinely enable me to deliver in hours tasks which would previously have taken months.
fkukHMS@reddit
It's basically the equivalent of HTTP 0.9 which was a historic step forward in the world of networking, while at the same time being incredibly basic, naive and limited.
In the next few years MCP will also evolve into something much richer, and probably sprout a whole ecosystem of protocol extensions similar to modern HTTP stack.
CNDW@reddit
It's an abstraction point. I don't think everything will be mcp servers, agents will have a compressive suite of cli tools that will manage most generic things. Mcp servers are for more specific use cases and for adding the ability to create guard rails (think auth or ensuring read only access) for business needs. If you are using an agent to work with your businesses services, then that agent needs to know how to make authenticated requests to resources and your business needs guarantees that the agent can't do destructive things unintentionally.
Another use case could be to distill information down to something more focused to better control context for an agent's LLM generation. Instead of saying "just ingest my 50 million lines of code to understand this component of the business, ask the mcp server for an overview.
MCP servers are just another tool in the toolkit. I imagine you won't ever really use more than half a dozen at most because the generic tools available to agents will handle most everything already.
AntisocialByChoice9@reddit
Depends how many erections it gives
poewetha@reddit
MCP looks clunky now, but the real bet is on standardization. Like REST or GraphQL, it’s less about being the most efficient and more about giving everyone a common way to plug tools in
Independent_Pitch598@reddit
Not locally.
MCP is a USB-C in the API world. The idea is to make a single facade for APIs so LLM can interact with them.
IProgramSoftware@reddit
Our company built slack mcp, Google drive mcp, github mcp and our internal company site mcp; the company site is used to share updates on our project to rest of the company in video and text formats.
Using all these tools, I built a prompt that searches all these things on a weekly basis to write a summary of my work. It is very detailed around 800-1200 words. Contains links etc. I just go in and ensure nothing hallucinated and it’s accurate.
Then there is a second prompt that summarizes these summaries into a brag doc with complete links so come review time I can utilize these on my reviews.
Just one example but it is what you make of a new technology and being creative with it.
SpareIntroduction721@reddit
I prefer UTCP
MengerianMango@reddit
If you're going to criticize, you should do so constructively. What do you think we should do differently?
I think MCPs cause us to miss out on a lot of potential gains that could be had from more widespread use of constrained generation. When allowing LLMs to edit code directly (ie agentic/vibe coding), there's a common issue of the LLM essentially writing a diff that doesn't apply. We could, for example, force an LLM to NEVER generate an invalid diff. That wouldn't actually be very hard. But it's an opportunity that doesn't fit anywhere within the concept of MCPs.
nhavar@reddit
Microservices for LLMs?
valarauca14@reddit
assuming the LLM bubble doesn't cause another AI winter
The real future is probably something built around vectors, and embedding those vectors within models instead of transferring documents (or snippets of documents) to be encoded and embedded within the LLM on the provider's side.
At the end of the day model just reduces the input to an array of floats, so making the clients do this (and saving OpenAI/Anthropic Cloud-spend) makes sense. Especially if the first 1-2 encoding/dispersion layers are done client side, as then the context window can be pre-encoded/scrambled, and really tedious to recovery the initial plain-text. Gives the client more explicit control over how they use the context window.
While this a win across the board (saves GPU time, increases customization, increases privacy) I doubt it'll happen because then provider's can't easily use your context/prompts as training data.
DustinBrett@reddit
Nope, just a step along the way.
Worthie@reddit
As a neovim user, MCP feels very natural because it reminds me a lot of LSP. I believe it's good for the ecosystem because then every new agent doesn't have to reimplement common features.
Artistic_Mood6467@reddit
Gostei da sua análise. Se quiser levar isso para o próximo nível, veja isso: http://localhost:5000