MCP prompts become attack surface
- Supabase published an example where a support ticket's text could trick an AI client into running dangerous database queries. - The docs stress most Model Context Protocol (MCP) clients need manual approval per tool call to avoid unsafe actions. - That means authorization, per-tool approval semantics, and auditable trails must sit inside prompt and tool design rather than outside it ( ).
Model Context Protocol, or MCP, is the plumbing that lets an AI app call outside tools — and Supabase’s own docs now show how a plain-text support ticket can turn that plumbing into an attack path. (supabase.com) Supabase’s example says a support worker or developer with broad permissions could ask an MCP client such as Cursor to read a ticket through Supabase MCP, and the ticket’s injected instructions could then push the client to run “bad queries” that expose sensitive data. (supabase.com) Supabase’s MCP server is built to let AI tools “launch databases, manage tables, fetch config, and query data” on a user’s behalf, which means the model is not just reading text; it can reach live systems through tool calls. (supabase.com) The Model Context Protocol specification defines those tools as callable actions exposed by a server, with names and schemas that let language models query databases, call application programming interfaces, or run computations. (modelcontextprotocol.io, modelcontextprotocol.io) That shifts the security problem from “can the model answer safely?” to “who approves each action, with what scope, and under whose identity?” Supabase’s docs say most MCP clients require manual approval for every tool call by default, precisely because a prompt can steer the model toward unsafe actions. (supabase.com, modelcontextprotocol.io) The same Supabase guide says users log in through a browser and grant organization access to the MCP client, and it adds that finer-grained permission controls are planned for the future. (supabase.com) The protocol’s own client docs say hosts can allow auto-approval for trusted operations or require approval for everything, which leaves a major security decision in the hands of each client product rather than in the protocol alone. (modelcontextprotocol.io) Supabase’s self-hosting guide is even blunter: its self-hosted MCP server does not currently offer OAuth 2.1 authentication and “is not intended to be exposed to the Internet,” with access meant to stay behind internal network controls. (supabase.com) That puts pressure on prompt design and tool design to carry controls that older software stacks often handled elsewhere: narrow tool scopes, explicit approvals, and logs that show which prompt led to which action. Supabase’s example reads less like a corner case than a warning label for any AI client wired into production systems. (supabase.com, supabase.com)
