Reality Check

⚡ MCP Isn't USB-C for APIs (Yet)

MCP is great plumbing, not a magic wand. Treating it like "USB-C for APIs" confuses connectivity with capability.

Ofer Avnery By Ofer Avnery
@
Real Wave
· August 19, 2025
MCP Real Wave Agent Security
MCP USB-C metaphor visualization

The Myth I Keep Hearing

Somewhere between a keynote and a LinkedIn carousel, the message morphed into: "Expose everything through MCP and your agent just… works." Like USB-C: plug-and-play.

Even Anthropic's own docs use the USB-C metaphor. It's a useful mental model for the plug. It's a terrible one for the driver stack. USB-C only "works" because the OS still has drivers, permissions, and policies. MCP is the socket. You still owe the system.

For Agency & Marketing Teams
Think of MCP like a universal charging port. Sure, any device can plug in, but your phone still needs the right software to charge safely. Same with AI agents—the connection is standardized, but you still need the "software" (business rules, safety checks) to make it work reliably.

References: Anthropic MCP docs · MCP getting started · Anthropic MCP announcement

So… Is MCP "Fake"?

No. The hype is. MCP is a solid port that reduces wiring. But the "plug-and-play agent" narrative sets business users up to skip the engineering—then blame the protocol when reality bites.

A more honest message: MCP lowers integration cost; it does not eliminate system design. You still need semantics, safety, and strategy.

What MCP Actually Standardizes (and What It Doesn't)

MCP gives you a consistent way to discover tools, invoke them, and pass messages between clients/servers. That's valuable! But MCP does not decide:

What MCP handles
  • Tool discovery & invocation
  • Message passing protocol
  • Standard transport layer
  • Client-server communication
What you still need to build
  • Which overlapping tools the agent should pick
  • How to fill constrained parameters (enums, cross-field rules, long JSON payloads)
  • How to sequence multi-step calls or recover from partial failures
  • How to enforce least-privilege and blast-radius limits for dangerous actions

Even Microsoft's Windows rollout treats MCP as one layer in a security-first architecture (proxy mediation, tool-level authorization, isolation, and a curated server registry). If MCP were "plug-and-play," none of that would be necessary.

Business Translation
Microsoft spent months building security layers around MCP before releasing it. If the biggest tech company in the world needed that much infrastructure, your agency probably does too. Plan for integration work, not just "connecting APIs."

References: Microsoft MCP security · Windows AI development

The Uncomfortable Truth: Tool Use Is Still Brittle

If the "USB-C for APIs" story were enough, we'd see near-perfect function calls. We don't.

The evidence is clear
  • Endpoint selection & argument errors are the top failure mode. The Gorilla work shows models routinely hallucinate endpoints or mangle parameters unless you add retrieval/finetuning and strict evaluators.
  • Benchmarks confirm reality is messy. ToolScan, BFCL, and ComplexFuncBench all find high rates of value/format errors, mis-routing, and constraint failures—exactly the issues business users assume "the protocol" solved.
  • "Agents can use computers" ≠ production reliability. OpenAI's own page cites a 38.1% success rate on OSWorld for its computer-using agent (with test-time scaling). Analyses of WebArena show improvement over time, but "~60% on curated stacks" still isn't five-nines reliability.

References: Gorilla hallucination analysis · ToolScan paper · OpenAI computer agent · WebArena benchmark

For Developers
TL;DR: MCP is solid transport layer plumbing, not magic. You still need tool routing, parameter validation, security policies, and error handling. It's the socket—you build the driver stack.
For Business Teams
Bottom Line: MCP makes connecting tools easier, but doesn't auto-solve safety or reliability. Budget for proper system design, not just "plug everything in." Think infrastructure, not magic wand.

"Access" Without Design Is a Liability

When you give an agent a buffet of endpoints, three predictable failures show up:

1. Over-permissioning

OWASP's LLM Top-10 calls out insecure plugin design and prompt injection. MCP doesn't neutralize that—architecture does.

2. Ambiguity

Multiple tools claim the same capability with different shapes. The model picks poorly or "shotguns" calls. BFCL/ToolScan were built to measure exactly this class of errors.

3. Parameter hazards

Real APIs have enums, idempotency, and cross-field constraints. ComplexFuncBench shows the error rates spike when parameter values must be reasoned about, not just copied.

And that's before indirect prompt injection—malicious instructions hiding in web pages, emails, or files that your agent ingests, then forwards straight through your shiny MCP pipe to a sensitive tool. Recent papers show many defenses can be bypassed with adaptive attacks (>50% success in tests).

Risk Management Reality
Imagine a client's email containing hidden instructions that trick your AI into deleting their CRM data or posting to their social media. This isn't sci-fi—it's happening now. MCP makes connections easier, but also makes these attacks more dangerous if you don't plan for them.

References: OWASP LLM Top-10 · Indirect prompt injection overview

The USB-C Metaphor Breaks at the Driver Layer

USB-C works because the OS handles drivers, permissions, and policies. With agents, you still need:

A curated, least-privilege tool surface

Deny-by-default, per-capability scopes, auditable consent. Windows' MCP proxy/registry model is a good reference.

A tool-selection router

RAG over your tool docs and a router model beat "let the LLM guess." Gorilla's retrieval-augmented approach is the canonical starting point.

Hard schemas & contract tests

Typed parameters, constraints, golden examples, and failing fast on invalid payloads. Use ToolScan/BFCL-style diagnostics to see what's actually breaking.

Runtime guardrails

Dry-run/preview, reversible operations, and "damage confinement." GoEX formalizes undo + blast-radius limits. That's systems engineering, not protocol sugar.

Evals that reflect your reality

Reliability, time-to-result, safe-fail behavior—measured on your tasks. WABER focuses on reliability/efficiency for web agents; similar practice should exist for your domain.

How to Use MCP Without Setting Yourself Up to Fail

1. Start narrow

One domain, well-defined success metrics, and an eval harness (reliability, TTR, safe-fail).

2. Design real contracts

Types, enums, cross-field constraints, idempotency keys, and golden payloads. Auto-generate validators and reject fuzzy inputs fast.

3. Add a router

Few-shot policy + embeddings over your tool catalog. Disallow unrecognized capabilities.

4. Wrap high-risk actions

Dry-run, preview diffs, reversibility, and human-in-the-loop for money-moving or prod-mutating steps.

5. Assume prompt injection

Sanitize, isolate, and scope tokens. Map your surface to OWASP LLM risks and test it.

6. Communicate expectations

MCP reduces wiring work. It does not auto-solve tool ambiguity, parameter validity, or enterprise safety.

Further Reading (Good, Sober Sources)

MCP Documentation & Intro
Microsoft's MCP Security Model
Tool-use Brittleness & Benchmarks
Security Realities

Bottom Line

MCP is the port. Your job is the drivers, the policies, and the tests. Ship that—then the metaphor will finally fit.

Get Help Building It Right Read the MCP Docs