Model Context Protocol (MCP) servers are typically fairly simple services. They accept calls over STDIO and HTTP, and then execute code based on the incoming call. In the case of the CloudBees MCP Server, the server connects to backend services (CloudBees platform) and executes those API calls. There is no access to local files or networks. While most of the risk lies in the user’s agent, there are still a few best practices that you can implement to secure your data.
Risks associated with using agents
The agent (for example, Goose, Visual Studio Code, and Cline) is the source of most risk in the agentic client world.
Agents are able to:
-
Access MCP server configurations (required to launch the servers)
-
Launch MCP servers
-
Read data sent to and received from MCP servers
-
Send data to the LLM (for example, OpenAI)
-
Retrieve execution commands from the LLM (for example, OpenAI)
Specifically, when you use the CloudBees MCP Server, your agent has the same level of access to CloudBees platform as the user who created the CloudBees platform API token used to launch the CloudBees MCP Server. Any data your agent exchanges with CloudBees platform may be sent to any LLM available to the agent.
Use care when you select your agent and follow the installation instructions to ensure your agent is trustworthy and you understand the specific risks of each configuration mode.
Enable, disable, and configure tools
You can use CloudBees MCP Server toolsets to enable, disable, and configure the tools offered by the CloudBees MCP Server. For example, issue the following command to enable all tools in read-only mode:
$ cloudbees-mcp stdio --toolsets all=r
| Any user who can access the CloudBees MCP Server (directly or through a preconfigured agent) can use the tools you enable and will have the same permissions as the creator of the CloudBees platform API token used to launch the CloudBees MCP Server. |
Use the Docker image to install and protect your agent
While the CloudBees MCP Server only communicates with the CloudBees platform, you can use the Docker image install to help protect your agent’s environment. Refer to Install CloudBees MCP Server for more information.