AI Agents and MCP

About 10 minutes

MCP (Model Context Protocol) is an open standard for connecting AI applications to external systems.[1] It reduces tool integration complexity by giving agents a shared protocol for working with external tools and services.

The Challenge of AI Agents and Tool Integration

Tools are essential for AI agents to “act.” However, traditional tool integration had the following challenges:

Challenge	Details
Inconsistent API specs	Different request formats, authentication methods, and response structures per tool
Increasing integration cost	Custom implementation required for every new tool added (M×N problem)
Complex error handling	Different error codes and exception handling per tool
Dispersed security management	Separate credential and permission management per tool

Concretely, when an agent combines web search, GitHub operations, database queries, and file operations, it had to import different SDKs and call each in a different format.

What MCP Solves

MCP solves the above challenges by placing a common protocol layer between agents and tools.

Agents only need to call tools in MCP — a “common language” — while the MCP server abstracts away the implementation details of each tool.

The USB-C analogy is helpful here. The official MCP documentation also describes MCP as a USB-C-like standard connection for AI applications.[1]

How MCP Relates to Agents

Here’s the overall picture of how an agent calls tools via MCP:

graph LR
    subgraph AgentSystem["Agent System"]
        Agent["Agent\n(LLM Core)"]
        MCPClient["MCP Client\n(Protocol translation)"]
        Agent <-->|"Tool call request\n· Execution result"| MCPClient
    end

    subgraph MCPServers["MCP Servers"]
        FS["File System MCP\nFile read/write"]
        GitHub["GitHub MCP\nRepository operations"]
        Browser["Puppeteer MCP\nBrowser automation"]
        DB["Database MCP\nDB query · update"]
        Search["Search MCP\nWeb search"]
    end

    MCPClient <-->|"Standardized MCP protocol"| FS
    MCPClient <-->|"Standardized MCP protocol"| GitHub
    MCPClient <-->|"Standardized MCP protocol"| Browser
    MCPClient <-->|"Standardized MCP protocol"| DB
    MCPClient <-->|"Standardized MCP protocol"| Search

The MCP client is the Host-side component that maintains a connection to an MCP Server and obtains context for the Host to use.[2] The agent can use tools through a unified protocol.

MCP Usage Examples in Claude Code

Claude Code supports MCP. The official documentation describes claude mcp add and scope-specific configuration: project-scoped servers are stored in root .mcp.json, while user/local settings are stored in ~/.claude.json.[3]

File System MCP (File System Operations)

// Conceptual .mcp.json example; use the official setup command for the server you choose.
{
  "mcpServers": {
    "filesystem": {
      "command": "filesystem-mcp-server",
      "args": [
        "/Users/yourname/projects"
      ]
    }
  }
}

With the File System MCP configured, the agent can autonomously:

Retrieve a list of project files
Read and analyze file contents
Write code modifications to files
Understand the directory structure for design decisions

GitHub MCP (GitHub Operations)

{
  "mcpServers": {
    "github": {
      "command": "github-mcp-server",
      "args": [],
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
      }
    }
  }
}

With the GitHub MCP, the agent can:

Reference issue contents and fix code accordingly
Create and update Pull Requests
Search and analyze repository code
Review commit history to investigate bugs

Puppeteer/Playwright MCP (Browser Automation)

Automates web UI testing, scraping, and dynamic content retrieval.

{
  "mcpServers": {
    "puppeteer": {
      "command": "browser-mcp-server",
      "args": []
    }
  }
}

Database MCP

Execute queries and updates to databases like PostgreSQL and SQLite through a standardized interface.

{
  "mcpServers": {
    "postgres": {
      "command": "postgres-mcp-server",
      "args": [
        "postgresql://localhost/mydb"
      ]
    }
  }
}

The MCP Server Call Flow

Here’s the detailed flow when an agent calls an MCP tool:

sequenceDiagram
    participant U as User
    participant A as Agent (LLM)
    participant MC as MCP Client
    participant MS as MCP Server
    participant T as External Tool/API

    U->>A: Task request: "Look at the issue and fix the code"

    A->>MC: Request list of available tools
    MC->>MS: tools/list
    MS->>MC: Tool list (read_file, write_file, list_issues, etc.)
    MC->>A: Return tool list

    A->>A: Reason: Read the issue via GitHub MCP

    A->>MC: tools/call: list_issues(repo="myrepo")
    MC->>MS: tools/call request
    MS->>T: GitHub API call
    T->>MS: Issue data
    MS->>MC: Tool execution result
    MC->>A: Return issue content

    A->>A: Reason: Identify the file that needs to be fixed

    A->>MC: tools/call: read_file(path="src/auth.ts")
    MC->>MS: tools/call request
    MS->>T: File system read
    T->>MS: File content
    MS->>MC: File content
    MC->>A: Return file content

    A->>A: Reason: Generate the fix

    Note over A,U: Irreversible operation (file write) requires confirmation
    A->>U: "Would you like to apply the following changes?" (approval request)
    U->>A: Approved

    A->>MC: tools/call: write_file(path="src/auth.ts", content="...")
    MC->>MS: tools/call request
    MS->>T: File write
    T->>MS: Success
    MS->>MC: Complete
    MC->>A: Write successful

    A->>U: Report fix complete

Tool Approval and Security

Appropriate security design is essential for agents using tools via MCP.

Allow List / Deny List

Explicitly restrict the tools and operations an agent can use.

// Security configuration example (conceptual)
{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/Users/yourname/projects/safe-dir"  // Limit accessible directory
      ]
    }
  },
  "permissions": {
    "allow": [
      "filesystem/read_file",
      "filesystem/list_directory",
      "github/list_issues",
      "github/read_pull_request"
    ],
    "deny": [
      "filesystem/delete_file",    // File deletion prohibited
      "github/delete_repository"   // Repository deletion prohibited
    ]
  }
}

Confirmation for Irreversible Operations (Human-in-the-loop)

Design so that human confirmation is always required before operations that cannot be undone.

Operation Category	Examples	Recommended Response
High risk (always confirm)	File deletion, database deletion, email sending, payment	Display changes and require explicit approval
Medium risk (confirm recommended)	File overwrite, POST to external API, config changes	Show a preview of the changes
Low risk (auto-execute)	File reading, web search, list retrieval	Execute without confirmation

Claude Code provides dangerous modes such as --dangerously-skip-permissions that bypass permission prompts. For normal operation, do not bypass confirmation for important actions.[4]

The Importance of Sandboxing

When an agent executes code, run it inside a sandbox (isolated execution environment) so it doesn’t directly affect the production environment.

graph LR
    Agent["Agent"] --> Sandbox["Sandbox Environment\n(Docker container, etc.)"]
    Sandbox --> |"Limited access only"| Prod["Production Environment\n(Protected)"]
    Sandbox --> LocalFS["Local File System\n(Working directory)"]
    Sandbox --> Internet["Internet\n(As needed)"]

Sandbox execution examples

Limit code execution to inside a Docker container
Prohibit writes to the production database; use a test DB only
Restrict network access to only the necessary endpoints

MCP Registry (Ecosystem)

MCP is an open standard, and the community has published numerous MCP servers.

Conceptual MCP server categories

Category	Provided Functionality
File system	File read/write, directory operations
Version control	Issue, PR, and repository operations
Browser	Browser automation, scraping
Database	SQL database query and update
Search	Search API calls
Notifications	Message sending

The MCP official site links to the registry and SDKs, so you can find existing servers or build your own.[1]

Summary

MCP is an open standard that standardizes communication between AI agents and tools
Agents connect to multiple MCP servers via an MCP client and call tools through a unified interface
In Claude Code, add MCP servers through the official workflow and manage project-shared settings in .mcp.json or personal settings in ~/.claude.json[3]
The core of security design is three things: “allow/deny list,” “confirmation for irreversible operations,” and “sandboxing”
The MCP ecosystem has many official and community servers, and custom server implementation is also possible

Frequently Asked Questions

Q: Can I build an agent without MCP?

A: Yes. You can call tools without MCP by using LLM provider features like Function Calling (OpenAI) or Tool Use (Anthropic) directly. MCP is a standard for standardizing tool integration, not a requirement. However, for cases with multiple tools, adopting MCP makes long-term maintenance easier.

Q: Where does an MCP server run? Locally?

A: Both local servers (stdio transport) and remote servers (Streamable HTTP transport) exist.[2] See Local vs. Remote MCP for details.

Q: How should I manage credentials (API keys, etc.) for MCP servers?

A: Injecting them as environment variables is the common approach (for example, "env": {"API_KEY": "${MY_API_KEY}"}). Avoid hardcoding API keys in MCP configuration files, and keep personal or local credentials out of project-shared configuration.[3]

Q: Can I build my own MCP server?

A: Yes. The official MCP architecture guide treats language-specific SDKs as part of the MCP project set.[2] This is useful when you want to make internal APIs or proprietary data sources accessible to agents.

Q: What’s the difference between MCP and an API?

A: An API is the connection interface to a specific service. MCP is a meta-protocol that standardizes communication between agents and tools. MCP servers often call APIs internally. MCP doesn’t replace APIs — it’s a mechanism that makes it easier for agents to use APIs.

What Is MCP? — Basic MCP concepts
What Is an AI Agent? — Agent structure
Orchestration Patterns — Multi-agent coordination

References

Model Context Protocol, What is the Model Context Protocol?
Model Context Protocol, Architecture overview
Anthropic, Connect Claude Code to tools via MCP
Anthropic, Claude Code security

What is MCP?

AI Agent Framework Comparison