Sure, but like, that's how everyone is using MCP. If your point is that MCP is either fundamentally a bad idea (or was at least fundamentally designed incorrectly) then I agree with you 100%--or if the argument is that a model either isn't smart enough (yet) or aligned enough (maybe ever) to be given access to anything you care about, I also would agree--but, the entire point of this tech is to give models access to private data and then the model is going to, fundamentally to accomplish any goal, see arbitrary text... this is just someone noting "look it isn't even hard to do this" as a reaction to all the people out there (and on here) who want to YOLO this stuff.
MCP is a great idea implemented poorly.
I shouldn’t have to decide between giving a model access to everything I can access, or nothing.
Models should be treated like interns; they are eager and operate in good faith, but they can be fooled, and they can be wrong. MCP says every model is a sysadmin, or at least has the same privileges as the person who hires them. That’s a really bad idea.
But you don't have to give it everything or nothing. You can just scope the token you give the MCP to the things you want it to access.
Even in this instance if they just gave the MCP a token that only had access to this repo (an entirely possible thing to do) it wouldn't have been able to do what it did.