Comment by zingar
7 hours ago
Can you not just install/ restrict the available CLIs in the same way you do with MCPs?
Or what else am I missing about why MCP is more secure than a CLI?
7 hours ago
Can you not just install/ restrict the available CLIs in the same way you do with MCPs?
Or what else am I missing about why MCP is more secure than a CLI?
MCP allows you to easily separate API requests from their access tokens, so that the LLM only has access to the requests part. Giving an LLM CLI access removes all boundaries, anything goes.
EDIT: to add an example: I have a personal claw agent that I only use CLI, I don't care. But I'm also building an agent inside a company product, and there we use MCP all the way.
You can easily do this with simple Unix `chmod x-rw` on a wrapper that makes HTTP requests, adding the access token as it does.
Another examole which is trivial with MCP but hard with cli binaries: blocking certain commands, such as write operations from the agent. With MCP your client can easily have a blocklist for commands, but with cli you would need to code custom logic for each cli separately.
Just use scopes in the API key the agent uses? If you’re exposing something publicly that should be a requirement anyways.
That’s how I use gh, aws, etc. No need to modify any of the code in the cli, they’re just wrappers.
I want the harness to use read freely but require confirmation for write.
Access control is the operating system's job, and modern OSes already provide plenty of great tools for doing that.
Just use the existing sandboxing infrastructure like bubblewrap, seccomp, etc. I have way more faith in that than in something than some regex-based blocklist.
With MCP your client can easily have a blocklist for commands, but with cli you would need to code custom logic for each cli separately.
Nah. Just don't let your model do anything potentially destructive until three or four other models have vetted the proposed action.
Filtering individual commands can never provide more than the shallowest semblance of security. If a smart model is hellbent on deleting your production database, it will write its own Python program to do it if the usual commands are blocked.
How do you ensure the cli can use the auth without knowing how to read it ? It’s potentially a bearer Token
[dead]