CONCEPT Cited by 3 sources

Local MCP server risk¶

Definition¶

Local MCP server risk is the security posture a developer takes on when they wire a cloud-hosted LLM (Claude, Cursor, GitHub Copilot, Goose, Claude Desktop) to a Model Context Protocol server that runs as a subprocess on their workstation — typically via the stdio transport, typically wrapping a native CLI (patterns/wrap-cli-as-mcp-server), typically inheriting the operator's full credentials (~/.config/*, cloud SDK tokens, git SSH keys, kubeconfig).

The risk is that a cloud LLM — with attack surface the operator does not control (prompt injection via retrieved content, jailbroken system prompts, adversarial tool descriptions in other MCP servers loaded in the same session) — can now run arbitrary native binaries on the operator's laptop with the operator's full identity.

Canonical wiki statement¶

Thomas Ptacek, Fly.io, 2025-04-10:

"Local MCP servers are scary. I don't like that I'm giving a Claude instance in the cloud the ability to run a native program on my machine."

(Source: sources/2025-04-10-flyio-30-minutes-with-mcp-and-flyctl.)

Four weeks later, Sam Ruby's 2025-05-07 follow-up post (sources/2025-05-07-flyio-provisioning-machines-using-mcps) extends the same flyctl MCP server with mutation operations — full fly volumes CRUD, plans to expand. Ruby's tempered caveat: "Just be aware this is not a demo, if you ask it to destroy a volume, that operation is not reversable. Perhaps try this first on a throwaway application." The read-only → mutation transition moves the local-MCP-server blast radius from "wrong conclusion about the state of my app" to "destroyed production resource."

Blast-radius axis¶

Read-only tool surface (2025-04-10 flymcp shape: fly logs + fly status). Prompt injection can produce a wrong diagnosis; blast radius is bounded to the operator's mental model. Still leaks whatever the CLI can read (logs often contain secrets, customer PII, internal hostnames).
Mutating tool surface (2025-05-07 shape: full fly volumes CRUD including destroy). Prompt injection can destroy production state. The flyctl-level "can't destroy a mounted volume" check (patterns/cli-safety-as-agent-guardrail) narrows but does not eliminate the attack surface — unattached volumes, apps, machines, secrets, networks remain destructible by any injected instruction.
Credential exfiltration surface. Because the MCP server inherits all workstation credentials, a single well-placed tool call (cat ~/.aws/credentials, cat ~/.ssh/id_rsa) in a less-guardrailed local server gives a cloud LLM transcript-logged copies of the operator's keys.

Three mitigation strategies¶

Disposable VM for agentic loop (patterns/disposable-vm-for-agentic-loop) — run the wrapped CLI inside a throwaway Fly Machine / Cloud Hypervisor micro-VM / Firecracker sandbox, not on the operator's laptop. Prompt injection destroys the sandbox, not the operator's workstation. The Fly.io 2025-02-07 VSCode-SSH post sketches this shape; the 2025-05-07 MCP provisioning post gestures at Fly-network-hosted MCP servers as the natural evolution.
Read-only tool-surface first (patterns/allowlisted-read-only-agent-actions + patterns/tool-surface-minimization) — gate mutations behind a second-tier approval or leave them out until a plan-and-apply UX is in place (patterns/plan-then-apply-agent-provisioning).
CLI-level safety invariants (patterns/cli-safety-as-agent-guardrail) — let the CLI's human-operator refusals ("can't destroy a mounted volume", "can't delete a non-empty bucket") protect the agent user at zero engineering cost.

Why "local" is the load-bearing word¶

Remote MCP (HTTP/SSE) flips the security posture. The MCP server runs in the service provider's infrastructure, the operator's laptop is a client, and the authz boundary is the server's own OAuth / credentialed-proxy layer (e.g. Agent Lee). The blast radius of a prompt-injected action is bounded by the server's permissioning, not the operator's workstation credentials. That's a different security story — sometimes better, sometimes worse, but not "a cloud LLM is running native binaries on my laptop with my full identity."

See concepts/mcp-long-lived-sse for the routing-side framing of remote MCP servers; local vs remote is orthogonal to read-only vs mutating.

Seen in¶

sources/2025-04-10-flyio-30-minutes-with-mcp-and-flyctl — canonical wiki statement + read-only blast-radius shape.
sources/2025-05-07-flyio-provisioning-machines-using-mcps — mutation transition; blast radius extends into production resource destruction with flyctl-level invariants as the only guardrail.
sources/2025-05-19-flyio-launching-mcp-servers-on-flyio — the remote-MCP-server alternative shipped: fly mcp launch takes any stdio MCP server and deploys it as a remote HTTP MCP server running in a Fly Machine, with bearer-token auth replacing operator-workstation-credential- inheritance as the authz boundary. Relocates execution off the operator's laptop — the "why local is the load-bearing word" point above, operationalized as a one-command flyctl subcommand. See systems/fly-mcp-launch + patterns/remote-mcp-server-via-platform-launcher.

systems/model-context-protocol — the protocol.
systems/fly-flyctl — the canonical wrapped CLI.
systems/fly-mcp-launch — the 2025-05-19 flyctl subcommand that deploys stdio MCP servers as remote HTTP MCP servers on Fly Machines, bypassing the local-MCP-risk posture by relocating execution to a platform VM.
patterns/wrap-cli-as-mcp-server — the pattern whose blast radius this concept quantifies.
patterns/remote-mcp-server-via-platform-launcher — the counter-pattern: deploy the stdio MCP server remotely rather than run it locally, flipping the authz boundary from workstation credentials to bearer-token / OAuth.
concepts/mcp-client-config-fragmentation — the other main ergonomics / security complaint Fly.io raises about early-era MCP.
patterns/disposable-vm-for-agentic-loop — the sandbox-based mitigation.
patterns/allowlisted-read-only-agent-actions — the policy-based mitigation.
patterns/cli-safety-as-agent-guardrail — the inherited-refusal mitigation.
concepts/prompt-injection — the attack class this posture exposes.
concepts/blast-radius — the framing vocabulary.
companies/flyio.