Model Context Protocol (MCP) servers are typically fairly simple services. They accept calls over STDIO and HTTP, and then execute code based on the incoming call. In the case of the CloudBees MCP server, the server connects to backend services (CloudBees platform) and executes those API calls. There is no access to local files or networks. While most of the risk lies in the user’s agent, there are still a few best practices that you can implement to secure your data.
Risks associated with using agents
The agent (for example, Goose, Visual Studio Code, and Cline) is the source of most risk in the agentic client world.
Agents are able to:
-
Access MCP server configurations (required to launch the servers)
-
Launch MCP servers
-
Send data to the LLM (for example, OpenAI)
-
Retrieve execution commands from the LLM (for example, OpenAI)
Therefore, you should use care when selecting your agent and following the installation instructions to ensure that you understand the specific risks that occur with each mode of configuration.
Enable, disable, and configure tools
You can use CloudBees MCP toolsets to enable, disable, and configure the tools offered by the CloudBees MCP server. For example, issue the following command to enable all tools in read-only mode:
$ cloudbees-mcp stdio --toolsets all=r
Use the Docker image to install and protect your agent
While the CloudBees MCP server only communicates with the CloudBees platform, you can use the Docker image install to help protect your agent’s environment. Refer to Install CloudBees MCP for more information.