More

monkpit · 2026-03-24T21:06:53 1774386413

I think they’re saying you could start up the mcp and pass it creds/auth for some downstream service, and then the LLM uses the tool and has auth but doesn’t know the creds.

simonw · 2026-03-24T21:45:00 1774388700

Right. If you're running a CLI tool that is authenticated there's effectively no way to prevent the coding agent from accessing those credentials itself - they're visible to the process, which means they're visible to the agent.

With MCP you can at least set things up such that the agent can't access the raw credentials directly.

dcherman · 2026-03-25T14:21:06 1774448466

How so? Let's use a common CLI tool as an example - kubectl. Config is generally stored in ~/.kube in a variety of config files. Running `kubectl config view` already redacts the auth information from the config. LLMs could invoke `kubectl` commands without having knowledge of how it's authenticated.

simonw · 2026-03-25T14:40:39 1774449639

If the agent has permission to run kubectl config view what's to stop it from reading those config files directly?

dcherman · 2026-03-25T14:53:39 1774450419

The same permissions model that works for other tools. In Claude Code terms, allow Bash(kubectl:*). Deny Read(**/.kube/**). That allows kubectl access without allowing the tool to read ~/.kube directly.

Your argument is the same for an MCP server - auth is stored somewhere on disk, what's to stop it from reading that file? The answer is the same as above.

simonw · 2026-03-25T16:17:31 1774455451

Would that stop Claude from executing this code:

  python -c '
  print(open("~/.kube/config.txt").read())
  '

The point I'm making here is that with an MCP you can disable shell access entirely, at which point the agent cannot read credential files that it's not meant to be able to access.

dcherman · 2026-03-25T16:28:29 1774456109

You can make the identical argument for the CLI tool. Allow kubectl, deny everything else.

simonw · 2026-03-25T17:28:06 1774459686

I don't understand.

My argument here is that one of the reasons to use MCP is that it allows you to build smaller agents that do not have a full code execution environment, and those agents can then use MCPs to make calls to external services without revealing those credentials to the agent.

I think we both agree that if your agent has full Bash access it can access credentials.

dcherman · 2026-03-25T18:03:06 1774461786

I think the gist of what we're debating is principle of least privilege - give the LLM the fewest privileges needed to accomplish the task and no more, that way you avoid issues like leaking credentials.

The approach you're proposing is that with a well designed MCP server, you can limit the permissions for your agent to only interacting with that MCP server, essentially limiting what it can do.

My argument is that you can accomplish the identical thing with an agent by limiting access to only invoking a specific CLI tool, and nothing more.

Both of our approaches accomplish the same thing. I'm just arguing that an MCP server is not required to accomplish it.

simonw · 2026-03-25T21:55:40 1774475740

If you're "limiting access to only invoking a specific CLI tool" then yeah, that's functionally equivalent to an MCP server. Most of the work I do with tools avoids MCPs entirely because you don't need them to hook up tools using raw JSON calls to LLMs or the official provider libraries.

But... if you're going all-in on the Bash/Python/arbitrary-programming-language environments that are necessary to get Skills to work, you're going to find yourself in a position where the agent can probably read config files that you don't want it to see.

steve-atx-7600 · 2026-03-25T13:22:37 1774444957

Also, you can set permissions to allow and disallow specific mcp server tool calls. With a skill you’d have to do something in the shell environment to block unwanted behaviors with auth or other means in a way that isn’t declarative.

zbentley · 2026-03-24T21:46:39 1774388799

This is right. It’s not about scoping auth, it’s about preventing secret misuse/exfil.

(Moved from wrong sub)

JambalayaJimbo · 2026-03-24T21:55:05 1774389305

The MCP implementation is itself an agent right? Is that not just pushing the problem somewhere else?

Also, I run programs on my machine with a different privilege level than myself all the time. Why can’t an agent do that?

conception · 2026-03-24T22:20:21 1774390821

No, mcp just is a server that returns prompts to the llm. The server can be/do whatever. You can have an echo mcp that list echoes back whatever you send it.

simonw · 2026-03-24T22:10:10 1774390210

I define the agent as the harness that runs the LLM in a loop calling tools. The MCI implementation is one of those tools. I wouldn't call an MCP implementation an agent.

gavmor · 2026-03-25T15:06:15 1774451175

Typically, no; an MCP is a deterministic program with SSE protocols.

staticassertion · 2026-03-25T00:39:59 1774399199

Oh. Yeah, that's neat at least. I don't think it's a big deal but that's nice enough.

monkpit · 2026-03-20T05:14:17 1773983657

Isn’t the last point the case with every AI startup? Nobody has a moat and it’s tough to build one because the playing field is so level.

_heimdall · 2026-03-20T11:47:30 1774007250

I've been confused by this with many LLM products in general. Sometimes infrastructure is part of it so there's that, but often it seems like the product is a magic incantation of markdown files.

ashgam · 2026-03-20T18:57:10 1774033030

Solving for infrastructure is a huge part of the problem too. Curious to know what you think about it?

_heimdall · 2026-03-20T19:15:54 1774034154

Here I'm mostly considering the seemingly countless services that are little more than some markdown files and their own API passing data to/from the LLM procider's API.

By no means is that every AI product today, and I wasn't saying the OP QA service falls into that bucket though.

More of a general comment related to the GP, maybe too off topic here though?

monkpit · 2026-03-20T04:19:05 1773980345

The pelxiglas is cheaper than taking the system down…

monkpit · 2026-03-20T04:07:52 1773979672

(2017)

monkpit · 2026-03-18T22:49:20 1773874160

I want to be proven wrong, but every use case someone presents for OpenClaw is just a worse version of Claude Code, at least, so far.

monkpit · 2026-03-14T04:41:09 1773463269

The next line in the comment you’re responding to is

> Sometimes ideas are dumb, but checking and guiding step by step helps it ship working things in hours.

which matches my experience exactly. I consider it to be about as magical as the parent comment is claiming, but I wouldn’t call it totally automatic.

monkpit · 2026-03-04T05:29:37 1772602177

You’re absolutely right!

monkpit · 2026-03-03T04:05:52 1772510752

is this real life

anal_reactor · 2026-03-03T09:17:37 1772529457

is this just fanta sea

neilellis · 2026-03-03T18:02:58 1772560978

Caught in a landslide, no escape from reality

monkpit · 2026-03-03T03:02:12 1772506932

Be the change you want to see… it’s not like this being public changes much, anyone who wanted to exploit this could do it without this site

duskdozer · 2026-03-03T03:40:59 1772509259

Sure, someone could, if they thought to look and did look and compiled the same list. But this makes the work required to start a lot smaller.

JoBrad · 2026-03-03T04:49:03 1772513343

But putting all of them in a tidy list definitely changes the value.

monkpit · 2026-03-03T00:45:41 1772498741

For 99% of my use cases, Claude Code is the clear winner. So, when I tried to use OpenClaw to test it out, it just seemed like a worse, slower, less-capable version of Claude Code. And it is. I haven’t seen the use case where OpenClaw can really shine yet, but I’m sure it’s coming. Like others are saying, I’m willing to be convinced, but so far it hasn’t happened.

theshrike79 · 2026-03-03T10:14:04 1772532844

Ask it to do something in the future or something with a conditional, plain CC can't do that.

Like "message me when it is about to rain"