// GLOSSARY -- MCP & TOOL INFRASTRUCTURE

What is a Local MCP Server?

2 min read Updated

A local MCP server is an MCP server that runs on the user's own machine, launched by the client as a subprocess and communicating over the stdio transport. It runs with the user's operating-system privileges, so it inherits their filesystem access and any credentials present in the local environment.

WHY IT MATTERS

In the stdio transport, the client launches the server process and exchanges newline-delimited JSON-RPC messages over the server's standard input and output. Most local servers are installed nowhere permanently: the host's configuration (typically an MCP JSON configuration file) specifies a command such as npx -y some-mcp-server or uvx some-mcp-server, which fetches and executes the package at launch, or points at a pre-built binary.

The defining security property is inheritance. A local server is an ordinary process under the user's account: it can read the same files, use the same SSH keys and cloud credentials, and reach the same internal network as the user. Nothing in the protocol constrains it — the tool schema it advertises describes what it offers the model, not what the process is technically able to do.

That makes supply chain the dominant concern:

  • npx -y and uvx execute the latest published package version on every cold start, so a compromised release runs immediately — the classic MCP supply-chain attack path.
  • Typosquatted or look-alike packages can impersonate popular servers.
  • A server that starts benign can change behaviour in a later version (rug pull).

Mitigations include pinning exact versions, vetting servers before adoption, running servers in containers or sandboxes, and applying least privilege to the credentials available in their environment.

See local mcp server working in your own stack — route your MCP servers through PolicyLayer and every tool call is checked against policy before it runs.

GOVERN YOUR MCP SERVERS →

Enforced before the call runs. Nothing to install.

HOW POLICYLAYER USES THIS

PolicyLayer's catalogue at /tools classifies the tools of thousands of published MCP servers by risk before you install them, and the CLI scanner (npx policylayer) inspects the servers in a local MCP configuration. Routing clients through the PolicyLayer gateway adds deterministic per-call policy on top, so a misbehaving tool call is denied before it executes.

Browse the MCP server catalogue →

FREQUENTLY ASKED QUESTIONS

How does a local MCP server communicate with the client?
Over the stdio transport: the client launches the server as a subprocess and exchanges newline-delimited JSON-RPC messages via the server's stdin and stdout, with stderr available for logging.
What can a local MCP server access on my machine?
Everything your user account can: files, environment variables, locally stored credentials and the local network. The protocol itself imposes no sandbox — restrictions must come from the OS, containers or policy tooling.
Why is npx -y a supply-chain risk for MCP servers?
It downloads and executes the latest published version of the package at launch, so a malicious or compromised release runs on your machine with your privileges as soon as the server next starts.

FURTHER READING

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

GOVERN YOUR MCP SERVERS →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.