AI Agent MCP Servers Expose Enterprise Environments to Arbitrary Code Execution Risk
What Happened — A new Noma Security whitepaper reveals that roughly 25 % of Model‑Control‑Protocol (MCP) servers deployed in enterprises allow AI agents to execute arbitrary code, and many associated “Skills” contain high‑risk instructions that can manipulate data or system state.
Why It Matters for TPRM —
- Un‑observable AI‑driven actions can bypass traditional security controls, creating blind spots in third‑party risk assessments.
- Compromise of a single MCP server or Skill can cascade to data exfiltration, credential theft, or destructive actions across the supply chain.
- Vendors offering AI‑agent platforms may be under‑securing the execution layer, increasing exposure for all downstream customers.
Who Is Affected — Technology SaaS providers, cloud‑hosted AI platform vendors, API providers, and any organization that integrates AI agents (e.g., development tools, customer‑support bots, internal automation).
Recommended Actions —
- Audit all third‑party AI‑agent integrations for MCP server usage and Skill deployment.
- Enforce strict version‑pinning on MCP packages; avoid “@latest” auto‑updates.
- Deploy runtime monitoring that can trace state‑changing actions back to originating Skills or MCP calls.
- Require vendors to provide attestations of code‑execution safeguards and observable logging.
Technical Notes — The risk stems from two extension mechanisms: (1) MCP servers expose deterministic functions that can be invoked with arbitrary parameters, and (2) “Skills” load textual instruction sets into the model’s reasoning context, where execution cannot be enumerated. High‑risk capabilities include untrusted input handling, external communication, and privileged data access, often combined in “ContextCrush”‑type attack patterns that leak source code or credentials. Source: https://www.helpnetsecurity.com/2026/05/05/ai-agent-security-skills-blind-spots/