Supply-Chain

Introduction This post documents the first finding from my security research into Claude Code’s MCP (Model Context Protocol) trust model. The research demonstrates that after a user grants initial trust to an MCP server, subsequent modifications to .mcp.json execute silently on the next Claude Code launch with no re-validation, no re-prompting, and no user visibility. This was reported to Anthropic via HackerOne and closed as Informative (by-design behavior per their workspace trust model). ...

Introduction This is the second finding from my Claude Code security research. It examines the enableAllProjectMcpServers flag, set when a user selects “Use this and all future MCP servers in this project” in the MCP trust dialog. This option grants permanent, irrevocable trust to any MCP server definition added to the project’s .mcp.json in the future, with no mechanism to review, audit, or revoke trust for individual servers after the fact. ...