Use this before an AI agent gets real tools
MCP servers make AI agents useful because they can connect to files, shells, browsers, databases, email, repositories, and cloud services. That also makes permissions, credentials, logs, and untrusted input more important than they are in a simple chat workflow.
What this checklist is good for
- Reviewing a new MCP server before connecting it to Claude, Cursor, VS Code, or a custom agent.
- Separating read-only experiments from write-capable production workflows.
- Preparing a short security note before giving an agent access to code, customer data, or cloud resources.
- Finding gaps in logging, secrets handling, prompt-injection testing, and rollback plans.
What this checklist does not replace
It is not legal advice, a compliance audit, or a penetration test. Treat the exported report as a planning note for engineering and security review.
Frequently asked questions
What is an MCP security checklist?
An MCP security checklist is a practical review for AI agents and Model Context Protocol servers. It checks tool permissions, credentials, logs, prompt-injection exposure, tool-poisoning risk, and destructive actions before an agent is used on real work.
Is this a penetration test or compliance audit?
No. This page is a lightweight planning checklist. Use it to find obvious gaps before production use, then involve security, legal, and compliance owners for formal review.
Why avoid prompt-injection payload generation here?
Payload generators can become dual-use. DayBridge keeps this page focused on defensive review, permission boundaries, and safer testing questions instead of publishing attack payloads.