MCP connectors widen access, raise risk

Model Context Protocol connectors are starting to look like the USB-C of AI tools. They give assistants one standard way to reach outside the chat window and touch real systems — databases, analytics products, internal apps, even industry-specific data. That is the promise. The news is that Verisk, a major insurance data vendor, said on May 5 that its analytics now plug directly into Anthropic’s Claude through MCP connectors, bringing regulated insurance workflows into that standard pipe. (verisk.com) ### What is MCP, in plain English? MCP is a common format for exposing tools and data to an AI assistant. Instead of every vendor building a custom integration for every model, the model can talk to an MCP server and discover what actions are available. Supabase’s docs spell out the basic idea pretty clearly: connect an assistant to an MCP server, authorize it, and the assistant can query or manage parts of your Supabase project on your behalf. (supabase.com) ### What changed in this case? The concrete move here is Verisk bringing two insurance-focused connectors into Claude environments. The company said users can access products including Verisk Underwriting Intelligence and Verisk XactRestore conversationally inside Claude, with governance controls layered around that access. That matters because insurance data is not generic web search material — it is proprietary, regulated, and tied to real underwriting and claims decisions. (verisk.com) ### Why do companies want this so badly? Because natural-language access is easier than making people learn ten dashboards and query languages. If an underwriter can ask Claude for loss-cost context or a restoration team can pull workflow guidance from XactRestore in chat, the software stops being a destination and becomes infrastructure. Basically, MCP turns “go open that system” into “ask for the answer here,” which is a huge usability jump. (verisk.com) ### Why is Supabase part of the story? Because it shows this is not a one-off insurance stunt. Supabase is using the same protocol to let assistants connect to databases, auth, storage, and project tooling after setup and authorization. So the pattern is broader: MCP is becoming a standard integration layer across enterprise software, not just a feature inside one model vendor’s ecosystem. (supabase.com) ### Where does the risk come from? The risk comes from the layer of instructions and permissions that sits between the model and the tool. If that layer is sloppy, over-privileged, or malicious, the assistant can become a very polite backdoor. A poisoned connector or skill does not need to exploit a classic software bug if the model is simply told to do the wrong thing and trusts the instructions. That is a different failure mode from normal app security — and a lot of teams are still catching up to it. (venturebeat.com) ### What did researchers actually find? Snyk’s ToxicSkills work scanned 3,984 agent skills and found that 13.4% contained at least one critical security issue, with 76 confirmed malicious payloads across ClawHub and skills.sh. The OpenClaw-related warning is the sharper version of the same point: a repo can be turned into an agent backdoor through instruction files that existing scanners do not really classify or catch. (snyk.io) ### So is MCP the problem? Not exactly. The protocol is just the pipe. But standard pipes make adoption easier, and easier adoption means more connectors, more permissions, and more places where weak governance can hide. The catch is that the same standardization that makes enterprise AI useful also makes the integration layer worth attacking. (supabase.com) ### What should en(snyk.io) chat add-ons. Least-privilege access, explicit approval steps, audit logs, connector reviews, and isolation between read and write actions all matter here. If companies treat these tools like harmless convenience features, they will widen access faster than they widen control. (verisk.com)ropics-claude/)) ### Bottom line MCP is making AI assistants genuinely useful inside real businesses. But the moment the assistant can reach trusted systems, the connector layer becomes part of the security perimeter. Verisk’s launch shows why companies want that future — and the OpenClaw research shows why they should be nervous getting there. (verisk.com)