Noma Security — MCP Servers and Skills: The Observability Gap in AI Agent Deployments

AI relevance: Enterprise AI agent deployments now span hundreds of high-risk MCP tools and Skills, but defenders can audit MCP tool calls while Skill instructions execute invisibly inside the model's reasoning context — creating an asymmetry that real-world attackers are already exploiting.

Noma Security's whitepaper "Lethal by Design" analyzed hundreds of widely-used MCP servers and Skills against eight risky capability categories. Key findings:

• One in four MCP servers exposes AI agents to code execution risk. Most widely deployed MCPs include high-risk capabilities, and the majority of popular Skills carry at least one risky characteristic.
• Observability gap: MCP tool calls are deterministic and loggable — defenders can inspect parameters and responses. Skills load textual instructions into the model's reasoning context, where downstream effects play out inside the model's reasoning and cannot be enumerated like source code.
• A typical enterprise environment runs well over 100 high-risk tools connected to its agents. The single most prevalent risk across both mechanisms is the ability to change state or data — meaning agents can cause irreversible damage through either attack or hallucination.
• ContextCrush attack chain: A developer asks Cursor for coding help, the agent pulls documentation from a poisoned Context7 library, hidden instructions tell it to read local files and dump contents into an attacker-controlled GitHub issue. Half of MCPs that can communicate externally also have untrusted input and sensitive data access in the same toolset.
• ForcedLeak attack chain: Malicious instructions arrive inside a Salesforce CRM record submitted through a Web-to-Lead form. When an employee asks Agentforce to process the lead, the agent treats the poisoned content as authoritative instruction and exfiltrates data.
• Rug-pull asymmetry: Skills are usually static files requiring manual updates, making them harder to rug-pull. MCP servers pinned to @latest fetch new package versions on every agent load — creating a supply-chain risk that's harder to detect.
• Noma proposes defenders stop trying to guarantee every MCP server is clean and instead govern what they can control: agent capability policies, execution boundaries, and observable tool surfaces.

Why it matters

• AI agents are being deployed with hundreds of high-risk tools without clear governance frameworks — the capability surface vastly outpaces security controls.
• The distinction between MCP servers (auditable code execution) and Skills (opaque reasoning-context injection) means defenders need different strategies for each mechanism.
• Real-world attack chains like ContextCrush and ForcedLeak show these aren't theoretical risks — they're being exploited now.

What to do

• Inventory and classify all MCP servers and Skills in your agent environment by risk capability.
• Apply agent capability governance: restrict which tool groups agents can access, rather than trying to audit every upstream package.
• Treat Skills as untrusted context — validate and sandbox instructions that enter the reasoning window from external sources.
• Pin MCP server versions instead of using @latest to reduce supply-chain exposure.

Links

• Help Net Security — Noma Security analysis
• Noma Security whitepaper
• OWASP Top 10 for LLMs (LLM06)