MCP is a great idea implemented poorly.
I shouldn’t have to decide between giving a model access to everything I can access, or nothing.
Models should be treated like interns; they are eager and operate in good faith, but they can be fooled, and they can be wrong. MCP says every model is a sysadmin, or at least has the same privileges as the person who hires them. That’s a really bad idea.
But you don't have to give it everything or nothing. You can just scope the token you give the MCP to the things you want it to access.
Even in this instance if they just gave the MCP a token that only had access to this repo (an entirely possible thing to do) it wouldn't have been able to do what it did.