A practical guide to running MCP servers without trusting them. Works with Claude Code and Claude Desktop, no fork required. The MCP Install Path Is an Arbitrary-Code-Execution Invitation Every guide tells you the same thing. Open your Claude config, drop in this one-liner: { "mcpServers" : { "filesystem" : { "command" : "npx" , "args" : [ "@modelcontextprotocol/server-filesystem" , "/Users/me" ] } } } Enter fullscreen mode Exit fullscreen mode That's the whole security boundary. npx resolves a package name against npm — whatever version is up right this second — and runs it with your user, your shell, your tokens, and read/write on /Users/me . Every time the agent calls a tool. The last twelve months made it clear how bad a default that is. postmark-mcp BCC backdoor (Sept 2025). An attacker mirrored the legitimate Postmark MCP server on npm, built trust over several versions, then shipped a release that quietly BCC'd every email the agent sent to an attacker-controlled address. No zero-day.…