Commentary: Anthropic donates MCP – with questionable backdoors

Fear the Danaans, even when they bring gifts! So it is said in Virgil and in Asterix. It refers to the Achaeans before Troy with their hero-infected wooden horse. Now Anthropic is giving away the Model Context Protocol (MCP) – specifically to the Linux Foundation, or more precisely, to its newly founded subsidiary for this purpose, the Agentic AI Foundation (AAIF).

The gift is certainly not a Trojan horse, but it is not as selfless as Anthropic's announcement and the jubilant reception from the Foundation would like to convey. Rather, Anthropic is thus absolving itself of responsibility for the neglected security of servers and clients in the protocol.

A search for clues

In addition to Anthropic, Block and Open AI also showed generosity, handing over the goose framework and the AGENTS.md specification to the AAIF, respectively. The suspicion quickly arose online that the companies want to secure their respective products as standards to get ahead of the competition. "Even if it looks generous, look twice. It's more about staking a claim before others do," writes Nerd.xyz. This may be true in Block's case, but certainly not for Anthropic with MCP. MCP is already a de facto standard, with no competition in sight.

MCP has always been open source, and the community has contributed. Anthropic's announcement also emphasizes this: "The project maintainers will continue to prioritize community input and transparent decision-making." There is no mention anywhere of replacing the previous company-affiliated project managers.

The Foundation offers protection from legal prosecution

Why do companies give software to a foundation like the Linux Foundation? The elegiac blog post from GitHub celebrating the MCP donation provides an answer:

1. Long-term stability: Companies and developers can rely on the software to exist permanently under the foundation's umbrella.
2. Equal participation: Open access to the project is guaranteed for everyone.
3. Compatibility guarantee: The platform can be used for all systems and users.
4. The security of an open standard: neutral governance in regulatory times as a secure basis for projects in companies.

If we consider points 1 to 3 in relation to the MCP donation, they quickly become irrelevant as reasons. A widely used standard, including by the Googles and Microsofts of the world, will find a maintainer as long as it is relevant. As an open-source project, participation is not a problem, and compatibility also plays a minor role in an open protocol.

The neutral governance remains the only argument: With the donation, Anthropic is shirking responsibility, which would otherwise fall on the MCP operator, especially due to European regulations. This is not unfounded: other companies have acted similarly, and it is known among experts that MCP is an entry point for the entire spectrum of digital Pandora's Box.

In an interview with heise developer, Mirko Ross, founder and CEO of the security company asvin, says: "MCP was conceived in a heated market under high time pressure. The concept of MVP – Minimum Viable Product – plays a role here. That is, the rapid introduction of basic functions that are accepted by users. From a cybersecurity perspective, however, MVP means 'Most vulnerability possibilities'."

The triumphant advance of MCP on the one hand and the neglected security on the other justify this assumption. And now that the standard has been set by Anthropic, the company can pompously withdraw.

Operating software projects under the umbrella of a foundation is not a bad thing in itself. On the contrary, the AI world can now hope that the community will quickly and responsibly increase MCP's security. Otherwise, autonomous agents that independently search for and tap into MCP servers will bring hidden aggressors behind the firewall, opening all security gates to the enemy.

(who)