Skills
Kill MCP 'omnibus tools' with closed-enum dispatch and narrowest-type schemas
The single most common MCP vulnerability is the omnibus tool (`execute`, `query`, `run`) that accepts free-form input and dispatches on a runtime action string, becoming a privilege-escalation primitive. The fix is structural: match handlers only against a fixed enum of operations, and make dangerous requests unexpressible via enums over strings, bounded integers, and branded IDs in the schema. Add per-tool authorization at dispatch (never let handlers self-check) and read tenant IDs from verified token claims, not the request body.
↳ Follow the thread