// GLOSSARY -- AI AGENT SECURITY

What are Insecure Tool Defaults?

2 min read Updated

MCP tools that ship with permissive default settings — such as unrestricted file access, no authentication, or broad argument ranges — creating vulnerabilities when agents use them without explicit hardening.

WHY IT MATTERS

Software defaults matter enormously. Most users never change them. In traditional software, insecure defaults have caused decades of breaches — open database ports, default admin credentials, permissive CORS headers. MCP tools inherit this problem and amplify it.

When an MCP server exposes a file system tool with no path restrictions by default, any connected agent can read /etc/passwd or write to arbitrary locations. When a database tool defaults to full query access, agents can DROP TABLE as easily as SELECT. The tool authors assume operators will configure restrictions — but in practice, many deployments run with defaults.

The problem is compounded by AI agents. A human developer might notice that a tool has dangerous defaults and configure restrictions. An agent does not exercise this judgement — it uses whatever capabilities are available. If the file system tool allows writes, the agent will write when it deems appropriate. The agent optimises for task completion, not security.

This creates a systemic risk: as the MCP ecosystem grows and developers install tools from registries, the aggregate attack surface of unconfigured defaults expands. Each insecure default is a potential entry point for prompt injection, data exfiltration, or privilege escalation.

HOW POLICYLAYER USES THIS

Intercept provides a security layer that is independent of individual tool defaults. Even if an MCP server ships with unrestricted file access, Intercept's YAML policies can constrain which paths are accessible, which operations are permitted, and what argument values are allowed. This means organisations do not rely on every tool author making secure choices — Intercept enforces the organisation's own security posture regardless of upstream defaults. The fail-closed design ensures that tools without explicit policy rules are denied by default.

FREQUENTLY ASKED QUESTIONS

Why do MCP tools ship with permissive defaults?
Tool authors optimise for ease of setup and flexibility. Restrictive defaults create friction for new users and limit the tool's apparent capability. This is the same dynamic that led to decades of insecure software defaults in web servers, databases, and cloud services.
How do I audit my MCP tools for insecure defaults?
Review each tool's documentation and test what operations are permitted without configuration. With Intercept, you can run in log-only mode to observe what tools and arguments agents actually use, then write policies that restrict to just those patterns.
Is fail-closed the right default for tool access?
For security-sensitive environments, yes. Fail-closed means any tool not explicitly allowed by policy is denied. This inverts the insecure-defaults problem — instead of everything being permitted unless restricted, nothing is permitted unless allowed.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.