AI Agents and MCP
MCP (Model Context Protocol) is an open standard that enables AI agents to integrate with external tools and services in a standardized way. By allowing agents to call any tool through the same interface, it dramatically reduces the complexity of tool integration.
Target audience: Those who understand the basics of AI agents and want to learn about tool integration mechanisms and security.
Estimated learning time: 20 minutes to read
Prerequisites: What Is an AI Agent?, What Is MCP?
The Challenge of AI Agents and Tool Integration
Section titled “The Challenge of AI Agents and Tool Integration”Tools are essential for AI agents to “act.” However, traditional tool integration had the following challenges:
| Challenge | Details |
|---|---|
| Inconsistent API specs | Different request formats, authentication methods, and response structures per tool |
| Increasing integration cost | Custom implementation required for every new tool added (M×N problem) |
| Complex error handling | Different error codes and exception handling per tool |
| Dispersed security management | Separate credential and permission management per tool |
Concretely, when an agent combines web search, GitHub operations, database queries, and file operations, it had to import different SDKs and call each in a different format.
What MCP Solves
Section titled “What MCP Solves”MCP solves the above challenges by placing a common protocol layer between agents and tools.
Agents only need to call tools in MCP — a “common language” — while the MCP server abstracts away the implementation details of each tool.
The USB-C analogy is helpful here. Before USB-C, each device needed a different cable. USB-C as a common standard now lets one cable connect many different devices. MCP is the USB-C for AI agents.
How MCP Relates to Agents
Section titled “How MCP Relates to Agents”Here’s the overall picture of how an agent calls tools via MCP:
graph LR
subgraph AgentSystem["Agent System"]
Agent["Agent\n(LLM Core)"]
MCPClient["MCP Client\n(Protocol translation)"]
Agent <-->|"Tool call request\n· Execution result"| MCPClient
end
subgraph MCPServers["MCP Servers"]
FS["File System MCP\nFile read/write"]
GitHub["GitHub MCP\nRepository operations"]
Browser["Puppeteer MCP\nBrowser automation"]
DB["Database MCP\nDB query · update"]
Search["Search MCP\nWeb search"]
end
MCPClient <-->|"Standardized MCP protocol"| FS
MCPClient <-->|"Standardized MCP protocol"| GitHub
MCPClient <-->|"Standardized MCP protocol"| Browser
MCPClient <-->|"Standardized MCP protocol"| DB
MCPClient <-->|"Standardized MCP protocol"| SearchThe MCP client is the component that handles protocol translation between the agent and MCP servers. The agent can use tools through a unified interface without being aware of which MCP server it’s talking to.
MCP Usage Examples in Claude Code
Section titled “MCP Usage Examples in Claude Code”Claude Code natively supports MCP. Configure it in .claude/mcp.json (or ~/.claude/mcp.json) to integrate with various tools.
File System MCP (File System Operations)
Section titled “File System MCP (File System Operations)”// .claude/mcp.json configuration example
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": [
"-y",
"@modelcontextprotocol/server-filesystem",
"/Users/yourname/projects"
]
}
}
}With the File System MCP configured, the agent can autonomously:
- Retrieve a list of project files
- Read and analyze file contents
- Write code modifications to files
- Understand the directory structure for design decisions
GitHub MCP (GitHub Operations)
Section titled “GitHub MCP (GitHub Operations)”{
"mcpServers": {
"github": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
}
}
}
}With the GitHub MCP, the agent can:
- Reference issue contents and fix code accordingly
- Create and update Pull Requests
- Search and analyze repository code
- Review commit history to investigate bugs
Puppeteer/Playwright MCP (Browser Automation)
Section titled “Puppeteer/Playwright MCP (Browser Automation)”Automates web UI testing, scraping, and dynamic content retrieval.
{
"mcpServers": {
"puppeteer": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-puppeteer"]
}
}
}Database MCP
Section titled “Database MCP”Execute queries and updates to databases like PostgreSQL and SQLite through a standardized interface.
{
"mcpServers": {
"postgres": {
"command": "npx",
"args": [
"-y",
"@modelcontextprotocol/server-postgres",
"postgresql://localhost/mydb"
]
}
}
}The MCP Server Call Flow
Section titled “The MCP Server Call Flow”Here’s the detailed flow when an agent calls an MCP tool:
sequenceDiagram
participant U as User
participant A as Agent (LLM)
participant MC as MCP Client
participant MS as MCP Server
participant T as External Tool/API
U->>A: Task request: "Look at the issue and fix the code"
A->>MC: Request list of available tools
MC->>MS: tools/list
MS->>MC: Tool list (read_file, write_file, list_issues, etc.)
MC->>A: Return tool list
A->>A: Reason: Read the issue via GitHub MCP
A->>MC: tools/call: list_issues(repo="myrepo")
MC->>MS: tools/call request
MS->>T: GitHub API call
T->>MS: Issue data
MS->>MC: Tool execution result
MC->>A: Return issue content
A->>A: Reason: Identify the file that needs to be fixed
A->>MC: tools/call: read_file(path="src/auth.ts")
MC->>MS: tools/call request
MS->>T: File system read
T->>MS: File content
MS->>MC: File content
MC->>A: Return file content
A->>A: Reason: Generate the fix
Note over A,U: Irreversible operation (file write) requires confirmation
A->>U: "Would you like to apply the following changes?" (approval request)
U->>A: Approved
A->>MC: tools/call: write_file(path="src/auth.ts", content="...")
MC->>MS: tools/call request
MS->>T: File write
T->>MS: Success
MS->>MC: Complete
MC->>A: Write successful
A->>U: Report fix completeTool Approval and Security
Section titled “Tool Approval and Security”Appropriate security design is essential for agents using tools via MCP.
Allow List / Deny List
Section titled “Allow List / Deny List”Explicitly restrict the tools and operations an agent can use.
// Security configuration example (conceptual)
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": [
"-y",
"@modelcontextprotocol/server-filesystem",
"/Users/yourname/projects/safe-dir" // Limit accessible directory
]
}
},
"permissions": {
"allow": [
"filesystem/read_file",
"filesystem/list_directory",
"github/list_issues",
"github/read_pull_request"
],
"deny": [
"filesystem/delete_file", // File deletion prohibited
"github/delete_repository" // Repository deletion prohibited
]
}
}Confirmation for Irreversible Operations (Human-in-the-loop)
Section titled “Confirmation for Irreversible Operations (Human-in-the-loop)”Design so that human confirmation is always required before operations that cannot be undone.
| Operation Category | Examples | Recommended Response |
|---|---|---|
| High risk (always confirm) | File deletion, database deletion, email sending, payment | Display changes and require explicit approval |
| Medium risk (confirm recommended) | File overwrite, POST to external API, config changes | Show a preview of the changes |
| Low risk (auto-execute) | File reading, web search, list retrieval | Execute without confirmation |
Claude Code requires confirmation for important operations by default — unless the --dangerously-skip-permissions flag is used. Maintaining this default behavior is the recommended security setting.
The Importance of Sandboxing
Section titled “The Importance of Sandboxing”When an agent executes code, run it inside a sandbox (isolated execution environment) so it doesn’t directly affect the production environment.
graph LR
Agent["Agent"] --> Sandbox["Sandbox Environment\n(Docker container, etc.)"]
Sandbox --> |"Limited access only"| Prod["Production Environment\n(Protected)"]
Sandbox --> LocalFS["Local File System\n(Working directory)"]
Sandbox --> Internet["Internet\n(As needed)"]Sandbox execution examples
- Limit code execution to inside a Docker container
- Prohibit writes to the production database; use a test DB only
- Restrict network access to only the necessary endpoints
MCP Registry (Ecosystem)
Section titled “MCP Registry (Ecosystem)”MCP is an open standard, and the community has published numerous MCP servers.
Examples of official and major MCP servers
| Category | MCP Server | Provided Functionality |
|---|---|---|
| File system | @modelcontextprotocol/server-filesystem | File read/write, directory operations |
| Version control | @modelcontextprotocol/server-github | GitHub operations (issues, PRs, repositories) |
| Browser | @modelcontextprotocol/server-puppeteer | Browser automation, scraping |
| Database | @modelcontextprotocol/server-postgres | PostgreSQL query and update |
| Search | @modelcontextprotocol/server-brave-search | Brave Search API |
| Notifications | @modelcontextprotocol/server-slack | Slack message sending |
The MCP official site lists available MCP servers. It’s also possible to implement your own custom MCP server using the SDKs published by Anthropic (Python and TypeScript).
Summary
Section titled “Summary”- MCP is an open standard that standardizes communication between AI agents and tools
- Agents connect to multiple MCP servers via an MCP client and call tools through a unified interface
- In Claude Code, simply writing settings to
.claude/mcp.jsonenables integration with MCP servers for file systems, GitHub, browsers, and more - The core of security design is three things: “allow/deny list,” “confirmation for irreversible operations,” and “sandboxing”
- The MCP ecosystem has many official and community servers, and custom server implementation is also possible
Frequently Asked Questions
Section titled “Frequently Asked Questions”Q: Can I build an agent without MCP?
A: Yes. You can call tools without MCP by using LLM provider features like Function Calling (OpenAI) or Tool Use (Anthropic) directly. MCP is a standard for standardizing tool integration, not a requirement. However, for cases with multiple tools, adopting MCP makes long-term maintenance easier.
Q: Where does an MCP server run? Locally?
A: Both local servers (stdio transport) and remote servers (HTTPS transport) are supported. Local servers have a security advantage, but remote MCP servers are needed when integrating with cloud services. See Local vs. Remote MCP for details.
Q: How should I manage credentials (API keys, etc.) for MCP servers?
A: Injecting them as environment variables is the standard approach (in the format "env": {"API_KEY": "${MY_API_KEY"}). Avoid hardcoding API keys in MCP configuration files, and add configuration files to .gitignore so they’re not committed to the repository.
Q: Can I build my own MCP server?
A: Yes. You can implement a custom MCP server using the Python SDK (mcp package) or TypeScript SDK (@modelcontextprotocol/sdk) provided by Anthropic. This is effective when you want to make your own internal APIs or proprietary data sources accessible to agents.
Q: What’s the difference between MCP and an API?
A: An API is the connection interface to a specific service. MCP is a meta-protocol that standardizes communication between agents and tools. MCP servers often call APIs internally. MCP doesn’t replace APIs — it’s a mechanism that makes it easier for agents to use APIs.
References
Section titled “References”- MCP Official Documentation
- Anthropic MCP GitHub
- Claude Code MCP Configuration Guide
- What Is MCP?
- What Is an AI Agent?
- Orchestration Patterns
Next step: What Is MCP?