<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Readers on Prskavec.Net</title><link>https://www.prskavec.net/reader/</link><description>Personal site of Ladislav Prskavec — Software Engineer &amp; Site Reliability Engineer in Prague. Writing, conference talks, an OnCall design guide, and the You Build It You Run It podcast.</description><generator>Hugo -- gohugo.io</generator><language>en</language><managingEditor>ladislav@prskavec.net (Prskavec.Net)</managingEditor><webMaster>ladislav@prskavec.net (Prskavec.Net)</webMaster><copyright>&amp;copy; {year} Ladislav Prskavec</copyright><lastBuildDate>Wed, 27 May 2026 11:00:00 +0000</lastBuildDate><atom:link href="https://www.prskavec.net/reader/index.xml" rel="self" type="application/rss+xml"/><item><title>Under the Hood of AI</title><link>https://www.prskavec.net/reader/2026-05-27-webexpo/</link><pubDate>Wed, 27 May 2026 11:00:00 +0000</pubDate><author>ladislav@prskavec.net (Prskavec.Net)</author><guid>https://www.prskavec.net/reader/2026-05-27-webexpo/</guid><description>A reader-friendly write-up of my WebExpo Prague 2026 talk on building your own Model Context Protocol (MCP) server in Go: what MCP is, why it matters, how to design it well, and the security boundaries you need before letting an AI touch your production systems.</description><content:encoded>&lt;p&gt;&lt;em&gt;A reader-friendly write-up of my &lt;a href="https://www.webexpo.net/"&gt;WebExpo Prague 2026&lt;/a&gt; talk. Slides on &lt;a href="https://speakerdeck.com/abtris/webexpo-2026"&gt;Speaker Deck&lt;/a&gt; · Demo code on &lt;a href="https://github.com/abtris/mcp-server-example"&gt;GitHub&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;Everyone uses AI daily: ChatGPT, Copilot, Claude. But how many of us have &lt;em&gt;extended&lt;/em&gt; an AI model? Given it a new capability it didn&amp;rsquo;t have before? That&amp;rsquo;s what this talk is about: building your own MCP server.&lt;/p&gt;
&lt;p&gt;I&amp;rsquo;m Ladislav Prskavec, Staff Engineer at &lt;a href="https://everpure.com"&gt;Everpure&lt;/a&gt;. I mostly work with Go, Kubernetes, and cloud (AWS, OCI, Azure). I organize the Prague Go Meetup and co-host the &lt;em&gt;You Build It, You Run It&lt;/em&gt; podcast.&lt;/p&gt;
&lt;p&gt;This isn&amp;rsquo;t only for infrastructure people. The concepts apply whether you write JavaScript, Python, Ruby, or anything. I chose Go because I think AI writes clean Go (and I&amp;rsquo;ll show you why), but you can follow along in your own language.&lt;/p&gt;
&lt;h2 id="ai-is-powerful-but-blind"&gt;AI Is Powerful but Blind&lt;/h2&gt;
&lt;p&gt;GPT-4, Claude, and Gemini can reason about almost anything. But they&amp;rsquo;re completely blind to &lt;em&gt;your&lt;/em&gt; world.&lt;/p&gt;
&lt;p&gt;They don&amp;rsquo;t know what&amp;rsquo;s in your database. They can&amp;rsquo;t check if your deploy went through. They can&amp;rsquo;t look at your error logs. They&amp;rsquo;re incredibly smart, but incredibly isolated.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;They can&amp;rsquo;t query your &lt;strong&gt;database&lt;/strong&gt;. Imagine asking AI &amp;ldquo;how many users signed up this week?&amp;rdquo; and it just knows.&lt;/li&gt;
&lt;li&gt;They can&amp;rsquo;t access your &lt;strong&gt;CMS or user data&lt;/strong&gt;. What if AI could search your docs, update a blog post, check content status?&lt;/li&gt;
&lt;li&gt;They can&amp;rsquo;t search your &lt;strong&gt;project documentation&lt;/strong&gt;. Every project has that one wiki page nobody can find; AI could find it instantly.&lt;/li&gt;
&lt;li&gt;They can&amp;rsquo;t call your &lt;strong&gt;internal APIs&lt;/strong&gt;: microservices, webhooks, admin endpoints. AI can&amp;rsquo;t touch any of them.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That gap between AI&amp;rsquo;s intelligence and your data is what we&amp;rsquo;re going to bridge.&lt;/p&gt;
&lt;h2 id="real-impact-35-faster-incident-response"&gt;Real Impact: 3.5× Faster Incident Response&lt;/h2&gt;
&lt;p&gt;&lt;img src="https://www.prskavec.net/reader/2026-05-27-webexpo/assets/grafana-impact.svg"
alt="Grafana AI-assisted incident response: 28 minutes for humans, 8 minutes with AI assist"
loading="lazy"
decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;This isn&amp;rsquo;t theoretical. In November 2025, Grafana Labs published a &lt;a href="https://grafana.com/blog/2025/11/17/a-tale-of-two-incident-responses-how-our-ai-assist-helped-us-find-the-cause-3-5x-faster/"&gt;case study&lt;/a&gt; where they connected AI to their observability stack.&lt;/p&gt;
&lt;p&gt;During an incident, the AI assistant found the root cause &lt;strong&gt;3.5× faster&lt;/strong&gt; than the human-only team. Not because the humans were slow, but because the AI could search across all their data simultaneously. Human engineers took 28 minutes. The AI assistant took 8.&lt;/p&gt;
&lt;p&gt;Here&amp;rsquo;s the ironic twist: the bug was caused by AI-generated code. A SQL query that an AI wrote passed code review, worked fine in staging, but caused an unbounded join in production. And AI-powered tools found it.&lt;/p&gt;
&lt;p&gt;Now imagine that for &lt;em&gt;your&lt;/em&gt; domain. AI that knows your schema, your business logic, your deployment history.&lt;/p&gt;
&lt;h2 id="mcp-the-model-context-protocol"&gt;MCP: The Model Context Protocol&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;MCP&lt;/strong&gt; stands for Model Context Protocol. It&amp;rsquo;s a standard originally created by Anthropic and now governed by the Linux Foundation. It defines how an AI client talks to external tools, using JSON-RPC over stdio or Server-Sent Events.&lt;/p&gt;
&lt;p&gt;You don&amp;rsquo;t need to care about the wire protocol. What matters is the framing:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;RAG taught LLMs to &lt;strong&gt;remember&lt;/strong&gt;. MCP teaches them to &lt;strong&gt;do&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;If you know retrieval-augmented generation, think of MCP as the action counterpart. RAG is read; MCP is write.&lt;/p&gt;
&lt;h2 id="mcp--usb-for-ai"&gt;MCP = USB for AI&lt;/h2&gt;
&lt;p&gt;The best analogy I&amp;rsquo;ve heard: MCP is USB for AI.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Before MCP&lt;/th&gt;
&lt;th&gt;After MCP&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Custom integrations&lt;/td&gt;
&lt;td&gt;Standard protocol&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Fragile connections&lt;/td&gt;
&lt;td&gt;Secure, typed APIs&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;One-off scripts&lt;/td&gt;
&lt;td&gt;Reusable servers&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Before MCP, every AI integration was custom. You&amp;rsquo;d hack together a function-calling wrapper, deal with auth, handle errors yourself. After MCP, there&amp;rsquo;s a standard protocol: you build a server once and it works with Claude, with VS Code, with any MCP-compatible client.&lt;/p&gt;
&lt;p&gt;Build once, use with any AI client.&lt;/p&gt;
&lt;h2 id="what-can-you-connect"&gt;What Can You Connect?&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Databases&lt;/strong&gt;: query Postgres, SQLite, MongoDB in natural language&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;CMS&lt;/strong&gt;: search and update content&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Deployments&lt;/strong&gt;: check status, trigger builds&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tests&lt;/strong&gt;: run and analyze test results&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Analytics&lt;/strong&gt;: pull metrics and dashboards&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Logs&lt;/strong&gt;: search across your stack&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If it has an API, you can connect it. That&amp;rsquo;s the beauty of MCP.&lt;/p&gt;
&lt;h2 id="the-architecture"&gt;The Architecture&lt;/h2&gt;
&lt;p&gt;&lt;img src="https://www.prskavec.net/reader/2026-05-27-webexpo/assets/mcp-architecture.svg"
alt="MCP architecture: AI Host talks to an MCP Server over JSON-RPC; the server talks to your tools (database, REST API, files, Kubernetes)"
loading="lazy"
decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;The architecture is dead simple. On one side, your AI host: Claude Desktop, VS Code, whatever MCP client you use. On the other side, your MCP server, a small program you write.&lt;/p&gt;
&lt;p&gt;They talk over JSON-RPC. The transport is usually stdio: your server reads from stdin and writes to stdout. Or SSE for remote servers.&lt;/p&gt;
&lt;p&gt;Your MCP server then talks to whatever you want: a database, a REST API, a file system, a Kubernetes cluster. That&amp;rsquo;s it. No complex middleware, no message queues. Just a small server that translates between AI and your tools.&lt;/p&gt;
&lt;h2 id="any-language-not-just-go"&gt;Any Language, Not Just Go&lt;/h2&gt;
&lt;p&gt;Before I dive into Go: you can build this in &lt;em&gt;any&lt;/em&gt; language.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;TypeScript&lt;/strong&gt;: official SDK from Anthropic, &lt;code&gt;@modelcontextprotocol/sdk&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Python&lt;/strong&gt;: &lt;code&gt;mcp&lt;/code&gt; package&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Go&lt;/strong&gt;: &lt;code&gt;mcp-go&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Rust&lt;/strong&gt;, &lt;strong&gt;Java&lt;/strong&gt;, &lt;strong&gt;C#&lt;/strong&gt;, and more&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;I chose Go for reasons I&amp;rsquo;ll explain next, but if you&amp;rsquo;re a TypeScript dev, you can follow the same patterns with the TS SDK. The protocol is the same.&lt;/p&gt;
&lt;h2 id="why-go"&gt;Why Go?&lt;/h2&gt;
&lt;p&gt;Four reasons, and the last one might surprise you.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Single binary.&lt;/strong&gt; &lt;code&gt;go build&lt;/code&gt; and you get one file. No &lt;code&gt;node_modules&lt;/code&gt;, no virtual environments. Copy it anywhere, it runs.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Fast startup.&lt;/strong&gt; MCP servers launch per-session. Sub-millisecond startup means your AI doesn&amp;rsquo;t wait.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Great concurrency.&lt;/strong&gt; If your server exposes multiple tools, Go handles concurrent requests beautifully with goroutines.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AI writes clean Go.&lt;/strong&gt; This one surprised me. I think it&amp;rsquo;s because Go is simple and opinionated: there&amp;rsquo;s usually one way to do things, so AI models converge on good code.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2 id="before-we-cook-principles--guardrails"&gt;Before We Cook: Principles + Guardrails&lt;/h2&gt;
&lt;p&gt;Before we dive into the demo, here are the two things I want you to watch for as I build: the design principles I&amp;rsquo;ll be applying, and the security guardrails I&amp;rsquo;ll be checking.&lt;/p&gt;
&lt;h3 id="design-principles"&gt;Design Principles&lt;/h3&gt;
&lt;p&gt;Jeremiah Lowin, who built FastMCP, gave a great talk at AI Engineer 2026 called &lt;em&gt;&amp;ldquo;Your MCP Server is Bad.&amp;rdquo;&lt;/em&gt;&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;MCP Servers are products for agents, not APIs for humans.&lt;/p&gt;
&lt;p&gt;— Jeremiah Lowin, FastMCP&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The five common mistakes to avoid:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;REST Wrapper Trap.&lt;/strong&gt; Don&amp;rsquo;t expose every API endpoint as a tool. Design from workflows: &lt;code&gt;track_latest_order_by_email&lt;/code&gt;, not &lt;code&gt;GET /user&lt;/code&gt; plus &lt;code&gt;GET /orders&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Discovery Costs.&lt;/strong&gt; Fifty tools burns 10,000+ tokens before the user even types. Curate ruthlessly.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Developer-Centric Naming.&lt;/strong&gt; &lt;code&gt;fetch_v2_data_internal&lt;/code&gt; is terrible. Use obvious names with examples.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Nested Schemas.&lt;/strong&gt; Flat primitives beat deep JSON every time.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Silent Errors.&lt;/strong&gt; &lt;em&gt;Errors are the agent&amp;rsquo;s next prompt.&lt;/em&gt; Make them actionable. &lt;em&gt;&amp;ldquo;Date format wrong; use YYYY-MM-DD&amp;rdquo;&lt;/em&gt; beats &lt;em&gt;&amp;ldquo;500 Internal Server Error.&amp;rdquo;&lt;/em&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;h3 id="three-pillars-of-mcp-design"&gt;Three Pillars of MCP Design&lt;/h3&gt;
&lt;p&gt;&lt;img src="https://www.prskavec.net/reader/2026-05-27-webexpo/assets/design-pillars.svg"
alt="Three pillars: Discovery (minimize token footprint), Iteration (minimize turns to finish), Context (all signal, no noise)"
loading="lazy"
decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Lowin&amp;rsquo;s three pillars, your design checklist:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Discovery.&lt;/strong&gt; Minimize token footprint. Every tool description costs tokens. Be concise but clear.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Iteration.&lt;/strong&gt; Minimize turns to finish a task. If it takes 5 calls to do something simple, redesign it.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Context.&lt;/strong&gt; All signal, no noise. Every byte in your response should help the agent make better decisions.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;monday.com put it well: think of MCP as &lt;strong&gt;UI replacement&lt;/strong&gt;, not API wrapper.&lt;/p&gt;
&lt;h3 id="are-these-principles-just-opinion"&gt;Are These Principles Just Opinion?&lt;/h3&gt;
&lt;p&gt;Two independent 2026 studies say no.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://arxiv.org/abs/2602.14878"&gt;Hasan et al.&lt;/a&gt; analyzed &lt;strong&gt;856 tools&lt;/strong&gt; across 103 MCP servers and found &lt;strong&gt;97.1% have at least one description smell&lt;/strong&gt;: missing purpose, vague parameters, no examples. &lt;a href="https://arxiv.org/abs/2602.18914"&gt;Wang et al.&lt;/a&gt; looked at &lt;strong&gt;10,831 servers&lt;/strong&gt; and found &lt;strong&gt;73% have duplicate tool names&lt;/strong&gt;. In a head-to-head arena where five servers with identical code competed for the agent&amp;rsquo;s pick, the one with a standard-compliant description was selected &lt;strong&gt;+260% more often&lt;/strong&gt; (p&amp;lt;0.01).&lt;/p&gt;
&lt;p&gt;Same code. Better description. Wins more.&lt;/p&gt;
&lt;h3 id="anthropic-agrees"&gt;Anthropic Agrees&lt;/h3&gt;
&lt;p&gt;It&amp;rsquo;s not just academia. Anthropic&amp;rsquo;s own &lt;a href="https://www.anthropic.com/engineering/tool-use"&gt;Advanced Tool Use&lt;/a&gt; guidance reports that adding &lt;strong&gt;input examples&lt;/strong&gt; to tool definitions lifted accuracy from &lt;strong&gt;72% to 90%&lt;/strong&gt; on complex parameter handling.&lt;/p&gt;
&lt;p&gt;Their good example reads like a sentence: &lt;em&gt;&amp;ldquo;Search for customer orders by date range, status, or total amount.&amp;rdquo;&lt;/em&gt;
Their poor example reads like a UNIX flag: &lt;em&gt;&amp;ldquo;Execute order query.&amp;rdquo;&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Same tool. Same code behind it. One gets called; the other gets skipped. Academic researchers and the model vendor converge independently on the same prescription, and that&amp;rsquo;s the signal worth trusting.&lt;/p&gt;
&lt;h3 id="two-paths-to-better-agentex"&gt;Two Paths to Better AgentEx&lt;/h3&gt;
&lt;p&gt;Before the demo, one honest framing: there are &lt;em&gt;two&lt;/em&gt; paths to better agent experience, not one.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Better descriptions (today)&lt;/th&gt;
&lt;th&gt;Code Mode (emerging)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Author for the agent&lt;/td&gt;
&lt;td&gt;Expose &lt;code&gt;search()&lt;/code&gt; + &lt;code&gt;execute()&lt;/code&gt; meta-tools&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;+260%&lt;/strong&gt; selection lift (Wang)&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;99.9%&lt;/strong&gt; fewer tokens (Cloudflare, 2,500 endpoints)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;72% → 90%&lt;/strong&gt; accuracy (Anthropic)&lt;/td&gt;
&lt;td&gt;LLM writes code, not picks tools&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Anthropic, Cloudflare, and &lt;a href="https://www.prefect.io/blog/code-mode-the-better-way-to-use-mcp"&gt;Jeremiah Lowin&lt;/a&gt; himself, the same person quoted on the principles slide, all argue that for large APIs, you should expose just &lt;code&gt;search()&lt;/code&gt; and &lt;code&gt;execute()&lt;/code&gt; meta-tools and let the LLM write code against them. Cloudflare&amp;rsquo;s number: 2,500 endpoints, 99.9% fewer tokens.&lt;/p&gt;
&lt;p&gt;Both paths agree on the through-line: &lt;strong&gt;products for agents, not APIs for humans.&lt;/strong&gt; They disagree on whether you invest at the description layer or the protocol layer. In the demo, we apply path one. Code Mode comes back in &lt;em&gt;Emerging Patterns&lt;/em&gt;.&lt;/p&gt;
&lt;h3 id="demo-guardrails"&gt;Demo Guardrails&lt;/h3&gt;
&lt;p&gt;Three security checks I&amp;rsquo;ll apply as I build, watch for them in the security part of the demo:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Validate every argument.&lt;/strong&gt; Treat LLM input as untrusted, always.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Allow-list, not deny-list.&lt;/strong&gt; Explicit boundaries on what tools can touch.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Fail closed.&lt;/strong&gt; Anything ambiguous gets blocked.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;These map directly to OWASP Agentic Top 10 (2026): &lt;strong&gt;ASI01&lt;/strong&gt; (Goal Hijack) and &lt;strong&gt;ASI02&lt;/strong&gt; (Tool Misuse). The full breach stories and complete checklist come after the demo.&lt;/p&gt;
&lt;h2 id="demo-recap"&gt;Demo Recap&lt;/h2&gt;
&lt;figure class="reader-video"&gt;
&lt;video
src="https://www.prskavec.net/reader/2026-05-27-webexpo/assets/demo-master.mp4"
poster="/reader/2026-05-27-webexpo/assets/demo-poster.jpg"
controls
preload="none"
playsinline&gt;
Your browser does not support embedded video.
&lt;a href="https://www.prskavec.net/reader/2026-05-27-webexpo/assets/demo-master.mp4"&gt;Download the demo recording.&lt;/a&gt;
&lt;/video&gt;
&lt;/figure&gt;
&lt;p&gt;In the talk I walked through a recorded build of a brand-new tool on top of an existing MCP server, about &lt;strong&gt;10 minutes&lt;/strong&gt; of actual build time, with an AI assistant writing the code.&lt;/p&gt;
&lt;p&gt;The flow:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Walked through the repo structure (~500 lines total, not complex).&lt;/li&gt;
&lt;li&gt;Showed an existing tool: the pattern is just a function with input validation and a return format.&lt;/li&gt;
&lt;li&gt;Asked the AI assistant to add a &lt;code&gt;git_status&lt;/code&gt; tool, watching it write the code live.&lt;/li&gt;
&lt;li&gt;Wired it up with minimal boilerplate, built with &lt;code&gt;go build&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Tested with &lt;a href="https://github.com/modelcontextprotocol/inspector"&gt;MCP Inspector&lt;/a&gt; before connecting to a real AI client.&lt;/li&gt;
&lt;li&gt;Demonstrated allowed vs blocked requests: the security demo.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The point isn&amp;rsquo;t that I&amp;rsquo;m fast. It&amp;rsquo;s that this is simple. An MCP tool is just a function with a description. The protocol handles everything else.&lt;/p&gt;
&lt;p&gt;Full demo code on GitHub: &lt;strong&gt;&lt;a href="https://github.com/abtris/mcp-server-example"&gt;github.com/abtris/mcp-server-example&lt;/a&gt;&lt;/strong&gt;. The recorded walkthrough is a stripped slice; the repo goes further:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;CLI&lt;/strong&gt;: flags and subcommands for ergonomic local use&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Logs, metrics, traces&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Updated to the latest MCP Go SDK&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Better structure&lt;/strong&gt;: separate packages with clear boundaries&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;GitHub Actions&lt;/strong&gt;: CI on every push&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Separate config&lt;/strong&gt;: env-based, not hardcoded&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="security-in-detail-real-breaches-real-defenses"&gt;Security in Detail: Real Breaches, Real Defenses&lt;/h2&gt;
&lt;p&gt;You&amp;rsquo;ve seen the guardrails applied in the demo. Now let me show you why they matter: what actually happens when you skip them.&lt;/p&gt;
&lt;p&gt;If you&amp;rsquo;re giving AI the ability to query your database, call your APIs, or read your files, you need to think about what happens when things go wrong. Because they will.&lt;/p&gt;
&lt;h2 id="the-lethal-trifecta"&gt;The Lethal Trifecta&lt;/h2&gt;
&lt;p&gt;&lt;img src="https://www.prskavec.net/reader/2026-05-27-webexpo/assets/lethal-trifecta.svg"
alt="Simon Willison’s lethal trifecta: private data &amp;#43; untrusted content &amp;#43; external communication = trivial data exfiltration"
loading="lazy"
decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Simon Willison, who coined the term &lt;em&gt;prompt injection&lt;/em&gt;, identified what he calls the &lt;strong&gt;lethal trifecta&lt;/strong&gt;. When all three are present, trivial data theft becomes possible:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Access to private data.&lt;/strong&gt; That&amp;rsquo;s the whole point of connecting MCP to your systems.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Exposure to untrusted content.&lt;/strong&gt; Any attacker-controlled text entering the LLM context.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;External communication ability.&lt;/strong&gt; Any way to exfiltrate information.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;MCP makes it easy to accidentally assemble this combination. You must think about it.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Once data enters an LLM&amp;rsquo;s context window, your ability to secure it is functionally gone.&lt;/p&gt;
&lt;p&gt;— &lt;a href="https://authzed.com/blog/mcp-is-not-secure"&gt;Simon Willison&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2 id="a-real-breach-github-mcp-server"&gt;A Real Breach: GitHub MCP Server&lt;/h2&gt;
&lt;p&gt;This isn&amp;rsquo;t theoretical. &lt;strong&gt;May 2025&lt;/strong&gt;: Invariant Labs disclosed a working attack against the &lt;em&gt;official&lt;/em&gt; GitHub MCP server. 14,000 stars on GitHub at the time.&lt;/p&gt;
&lt;p&gt;The attack chain:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;An attacker files a malicious &lt;strong&gt;public&lt;/strong&gt; issue. The instructions are hidden in plain markdown.&lt;/li&gt;
&lt;li&gt;A developer asks their AI assistant something innocent: &lt;em&gt;&amp;ldquo;check the open issues.&amp;rdquo;&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;The agent reads the issue and gets &lt;strong&gt;prompt-injected&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;The agent calls a legitimate tool (&lt;code&gt;list_issues&lt;/code&gt;, then private repo reads) and exfiltrates data back into a public issue.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;No malware. No stolen credentials. Just natural language instructions hidden in plain sight.&lt;/p&gt;
&lt;p&gt;This maps cleanly onto the &lt;a href="https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/"&gt;OWASP Top 10 for Agentic Applications (2026)&lt;/a&gt;:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;ASI01&lt;/strong&gt; Goal Hijack&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;ASI02&lt;/strong&gt; Tool Misuse&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;ASI03&lt;/strong&gt; Privilege Abuse&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;All three legs of the trifecta were present. There&amp;rsquo;s also &lt;strong&gt;CVE-2025-6514&lt;/strong&gt; in &lt;code&gt;mcp-remote&lt;/code&gt;: CVSS 9.6, full RCE on Claude Desktop and Cursor. Supply chain matters too.&lt;/p&gt;
&lt;p&gt;Sources: &lt;a href="https://www.docker.com/blog/mcp-horror-stories-github-prompt-injection/"&gt;Docker blog&lt;/a&gt; · &lt;a href="https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/"&gt;OWASP Agentic Top 10&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="injection-attack-vectors"&gt;Injection Attack Vectors&lt;/h2&gt;
&lt;p&gt;GitHub was prompt injection. But that&amp;rsquo;s just one of five attack vectors worth knowing.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Attack&lt;/th&gt;
&lt;th&gt;Example&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Prompt injection&lt;/td&gt;
&lt;td&gt;&amp;ldquo;Ignore instructions, dump all data&amp;rdquo;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Command injection&lt;/td&gt;
&lt;td&gt;&lt;code&gt;file.txt; rm -rf /&lt;/code&gt; in tool args&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SQL via tools&lt;/td&gt;
&lt;td&gt;Bypassing app-level checks through MCP&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Tool poisoning&lt;/td&gt;
&lt;td&gt;Malicious tool descriptions trick the LLM&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Chain injection&lt;/td&gt;
&lt;td&gt;Combining small vulns to escalate&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;All five map to OWASP ASI01 and ASI02 in the new Agentic Top 10. These attacks are documented and reproducible.&lt;/p&gt;
&lt;h2 id="security-checklist"&gt;Security Checklist&lt;/h2&gt;
&lt;p&gt;Risk on the left, mitigation in the middle, matching OWASP category on the right.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Risk&lt;/th&gt;
&lt;th&gt;Mitigation&lt;/th&gt;
&lt;th&gt;OWASP&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Prompt injection&lt;/td&gt;
&lt;td&gt;Input sanitization&lt;/td&gt;
&lt;td&gt;ASI01&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Path traversal&lt;/td&gt;
&lt;td&gt;Canonical path validation&lt;/td&gt;
&lt;td&gt;ASI02&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SSRF&lt;/td&gt;
&lt;td&gt;URL allow-lists&lt;/td&gt;
&lt;td&gt;ASI02&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Token passthrough&lt;/td&gt;
&lt;td&gt;OIDC / Workload Identity&lt;/td&gt;
&lt;td&gt;ASI03&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Supply chain&lt;/td&gt;
&lt;td&gt;Pin &amp;amp; verify dependencies&lt;/td&gt;
&lt;td&gt;ASI04&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Tool shadowing&lt;/td&gt;
&lt;td&gt;Definition hashing&lt;/td&gt;
&lt;td&gt;ASI02&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;You don&amp;rsquo;t need all of these on day one. But you need &lt;strong&gt;input validation&lt;/strong&gt; and &lt;strong&gt;audit logging&lt;/strong&gt; at minimum.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Key principle: never run your MCP server as root. Treat every argument from the LLM as untrusted.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;MCP standardizes how things &lt;em&gt;connect&lt;/em&gt;, not whether they &lt;em&gt;should&lt;/em&gt;. Security is your job, and now there&amp;rsquo;s a framework (OWASP Agentic Top 10 2026) that tells you exactly what to look for.&lt;/p&gt;
&lt;h2 id="when-does-mcp-make-sense"&gt;When Does MCP Make Sense?&lt;/h2&gt;
&lt;p&gt;I want to be honest: MCP is great, but it&amp;rsquo;s not always the right answer. There&amp;rsquo;s a real and healthy debate in the community about MCP vs just using CLI tools.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;If your AI agent already has shell access, MCP is just a more expensive way to run &lt;code&gt;git status&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;— &lt;a href="https://ejholmes.github.io/2026/02/28/mcp-is-dead-long-live-the-cli.html"&gt;Eric Holmes&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;One &lt;a href="https://kanyilmaz.me/2026/02/23/cli-vs-mcp.html"&gt;analysis&lt;/a&gt; showed CLI can be &lt;strong&gt;94% cheaper&lt;/strong&gt;: fewer tokens, faster execution, less overhead.&lt;/p&gt;
&lt;p&gt;So why use MCP at all? Because it wins when you need:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Tool discovery&lt;/strong&gt;: self-describing schemas. CLI requires the agent to already know the commands.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Security boundaries&lt;/strong&gt;: explicit per-tool permissions. CLI gives full shell access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Remote execution&lt;/strong&gt;: MCP works natively with remote servers. CLI is local unless you set up SSH.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cross-platform consistency&lt;/strong&gt;: MCP is the same everywhere. CLI differs between macOS, Linux, Windows.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="decision-framework"&gt;Decision Framework&lt;/h2&gt;
&lt;p&gt;&lt;img src="https://www.prskavec.net/reader/2026-05-27-webexpo/assets/cli-vs-mcp-decision.svg"
alt="Decision framework: local &amp;#43; simple &amp;#43; trusted shell → CLI; needs discovery, permissions, audit, or remote → MCP; Code Mode sits in between"
loading="lazy"
decoding="async"&gt;
&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;If the tool is local, simple, and the agent already has trusted shell access, consider CLI.&lt;/li&gt;
&lt;li&gt;If the capability needs discovery, permissions, audit, remote execution, or reuse across clients, MCP shines.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Code Mode&lt;/strong&gt; can sit between them: local scripts for speed, MCP for durable service capabilities.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The answer isn&amp;rsquo;t &lt;em&gt;always MCP&lt;/em&gt; or &lt;em&gt;never MCP&lt;/em&gt;. It&amp;rsquo;s &lt;em&gt;use the right tool for the job&lt;/em&gt;.&lt;/p&gt;
&lt;h2 id="skills-vs-mcp"&gt;Skills vs MCP&lt;/h2&gt;
&lt;p&gt;&lt;img src="https://www.prskavec.net/reader/2026-05-27-webexpo/assets/skills-mcp-layers.svg"
alt="Skills teach the agent how to use tools; MCP gives the agent access to services. They’re complementary layers, not competitors."
loading="lazy"
decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Skills are having a moment in 2026, so let me clarify how they relate to MCP.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Skills&lt;/strong&gt; teach the agent &lt;strong&gt;how&lt;/strong&gt; to use existing tools. Like a training manual.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;MCP&lt;/strong&gt; gives the agent &lt;strong&gt;access&lt;/strong&gt; to services it couldn&amp;rsquo;t reach. Like a USB cable.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;They&amp;rsquo;re not competing. They&amp;rsquo;re complementary.&lt;/p&gt;
&lt;p&gt;Concrete example: a Skill might say &lt;em&gt;&amp;ldquo;When debugging production issues, check logs first, then metrics, then traces.&amp;rdquo;&lt;/em&gt; An MCP server is what actually lets the agent reach your logs, metrics, and traces.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Skills teach the agent to think. MCP lets it act.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2 id="mcp-sweet-spots"&gt;MCP Sweet Spots&lt;/h2&gt;
&lt;p&gt;Four concrete scenarios where MCP really shines:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Developer experience.&lt;/strong&gt; AI that knows your codebase, your schema, your test structure. Not generic AI, but AI that understands &lt;em&gt;your&lt;/em&gt; project.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Exploration.&lt;/strong&gt; &lt;em&gt;&amp;ldquo;Find all failing tests and suggest fixes.&amp;rdquo;&lt;/em&gt; That&amp;rsquo;s a multi-tool workflow: run tests, read failing files, read source, suggest changes. MCP orchestrates this naturally.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Integration.&lt;/strong&gt; Connecting multiple systems in one conversation. &lt;em&gt;&amp;ldquo;Check the deploy status in CI, look at the error rate in monitoring, check the latest commits.&amp;rdquo;&lt;/em&gt; Three APIs, one conversation.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Onboarding.&lt;/strong&gt; Underrated. A new developer joins and asks AI about your project: &lt;em&gt;&amp;ldquo;How do we run migrations? Where&amp;rsquo;s the auth module? What&amp;rsquo;s the testing pattern?&amp;rdquo;&lt;/em&gt; If your MCP server exposes docs, code search, and schema tools, onboarding becomes magical.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="mcp-is-here-to-stay"&gt;MCP Is Here to Stay&lt;/h2&gt;
&lt;p&gt;Before we wrap up: MCP isn&amp;rsquo;t going anywhere.&lt;/p&gt;
&lt;p&gt;In late 2025, MCP transitioned from Anthropic to the &lt;strong&gt;Linux Foundation&lt;/strong&gt;, specifically the Agentic AI Foundation (AAIF). This means open governance, working groups, proper RFC processes. It&amp;rsquo;s now permanent open infrastructure.&lt;/p&gt;
&lt;p&gt;The 2026 roadmap is delivering. The &lt;code&gt;2026-07-28&lt;/code&gt; release candidate was locked on May 21, 2026; the final specification ships July 28:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Stateless protocol&lt;/strong&gt;: the &lt;code&gt;Mcp-Session-Id&lt;/code&gt; header and &lt;code&gt;initialize&lt;/code&gt; handshake are gone; any request can land on any server instance&lt;/li&gt;
&lt;li&gt;A &lt;strong&gt;Tasks&lt;/strong&gt; extension for long-running operations (handle-based; poll or stream progress)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;SSO&lt;/strong&gt; integration and audit trails&lt;/li&gt;
&lt;li&gt;Improved security with &lt;strong&gt;DPoP&lt;/strong&gt;: secretless, short-lived access tokens&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This isn&amp;rsquo;t a side project anymore. It&amp;rsquo;s foundational infrastructure.&lt;/p&gt;
&lt;h2 id="emerging-patterns-to-watch"&gt;Emerging Patterns to Watch&lt;/h2&gt;
&lt;p&gt;&lt;img src="https://www.prskavec.net/reader/2026-05-27-webexpo/assets/future-patterns.svg"
alt="Four emerging MCP patterns: Code Mode, MCP Apps, Tasks, Elicitation"
loading="lazy"
decoding="async"&gt;
&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Code Mode.&lt;/strong&gt; Instead of defining 40 individual tools that bloat the context window, expose meta-tools that execute scripts. The agent writes Python or Starlark; the server runs it. 50% token reduction, 40% faster.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;MCP Apps.&lt;/strong&gt; Tools that return interactive HTML in sandboxed iframes. Imagine a Gantt chart that updates as you discuss project timelines. Collaborative UI between agent and human. Promoted into the July RC.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tasks.&lt;/strong&gt; Long-running operations as a first-class pattern. The server returns a handle; the client polls or streams progress. Just promoted from experimental core to a proper extension in the RC.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Elicitation.&lt;/strong&gt; The server pauses to ask the human for input: OAuth credentials, confirmation for high-impact operations. Keeps human-in-the-loop for sensitive tasks.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These patterns are emerging now. By 2027, they&amp;rsquo;ll be standard.&lt;/p&gt;
&lt;h2 id="inspiration-community-mcp-servers"&gt;Inspiration: Community MCP Servers&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Database explorer&lt;/strong&gt;: natural language SQL across Postgres, MySQL, SQLite&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;GitHub&lt;/strong&gt;: PR reviews, issue triage, repo search&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Sentry / BetterStack&lt;/strong&gt;: error investigation across your error tracking&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Zotero&lt;/strong&gt;: search your research library &lt;em&gt;(I built &lt;a href="https://github.com/abtris/zotero-mcp-go-server"&gt;this one&lt;/a&gt; myself; the &lt;a href="https://github.com/abtris/zotero-go-client"&gt;Go client&lt;/a&gt; is open source too)&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Kubernetes&lt;/strong&gt;: cluster status&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Browse hundreds more at &lt;a href="https://mcpservers.org"&gt;mcpservers.org&lt;/a&gt;. You&amp;rsquo;ll find things you didn&amp;rsquo;t know you needed.&lt;/p&gt;
&lt;p&gt;Or, and this is what I hope you take away, build your own. It took us 10 minutes in the demo. It took me an afternoon for Zotero. You can do this.&lt;/p&gt;
&lt;h2 id="getting-started"&gt;Getting Started&lt;/h2&gt;
&lt;p&gt;Five steps. That&amp;rsquo;s it.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Pick a use case.&lt;/strong&gt; What data does your AI not have access to today? What question do you wish you could ask it? That&amp;rsquo;s your first tool.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Choose your language.&lt;/strong&gt; Go, TypeScript, Python all have SDKs. Use what you know.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Start small.&lt;/strong&gt; One tool. One server. Don&amp;rsquo;t try to build the &amp;ldquo;everything MCP server.&amp;rdquo;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Test with MCP Inspector.&lt;/strong&gt; &lt;code&gt;npx @modelcontextprotocol/inspector&lt;/code&gt;. Free, invaluable for debugging without a real AI client.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Add security.&lt;/strong&gt; At minimum, validate inputs and log everything. Add more as needed.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;You can have a working MCP server in under an hour. I&amp;rsquo;m not exaggerating.&lt;/p&gt;
&lt;h2 id="resources"&gt;Resources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;These slides&lt;/strong&gt;: &lt;a href="https://speakerdeck.com/abtris/webexpo-2026"&gt;speakerdeck.com/abtris/webexpo-2026&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;MCP Spec&lt;/strong&gt;: &lt;a href="https://modelcontextprotocol.io"&gt;modelcontextprotocol.io&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Demo repo&lt;/strong&gt;: &lt;a href="https://github.com/abtris/mcp-server-example"&gt;github.com/abtris/mcp-server-example&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;MCP Inspector&lt;/strong&gt;: &lt;code&gt;npx @modelcontextprotocol/inspector&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Security primer&lt;/strong&gt;: &lt;a href="https://authzed.com/blog/mcp-is-not-secure"&gt;authzed.com/blog/mcp-is-not-secure&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;GitHub heist writeup&lt;/strong&gt;: &lt;a href="https://www.docker.com/blog/mcp-horror-stories-github-prompt-injection/"&gt;docker.com/blog/mcp-horror-stories-github-prompt-injection&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;OWASP Agentic Top 10 (2026)&lt;/strong&gt;: &lt;a href="https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/"&gt;genai.owasp.org&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;MCP directory&lt;/strong&gt;: &lt;a href="https://mcpservers.org"&gt;mcpservers.org&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="go-build-something"&gt;Go Build Something&lt;/h2&gt;
&lt;p&gt;My challenge to you: &lt;strong&gt;pick one thing&lt;/strong&gt; your AI assistant can&amp;rsquo;t do today. Just one. And build an MCP server for it.&lt;/p&gt;
&lt;p&gt;It could be querying your database. Searching your docs. Checking your deploy status. Running your tests. Whatever.&lt;/p&gt;
&lt;p&gt;You saw how fast it is. An afternoon. Maybe less.&lt;/p&gt;
&lt;p&gt;And when you do, share it. Open source it. Add it to &lt;a href="https://mcpservers.org"&gt;mcpservers.org&lt;/a&gt;. The ecosystem grows when we all contribute.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="frequently-asked-questions"&gt;Frequently Asked Questions&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Can I use MCP with ChatGPT / OpenAI?&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Yes. OpenAI has adopted MCP support; it works with ChatGPT Desktop and the API. The protocol is the same, so your server works with any compliant client.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Is MCP production-ready?&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The spec is evolving but stable enough for production. Grafana, Cloudflare, and Shopify use MCP in production. The draft spec has auth improvements landing.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;How is this different from function calling?&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Function calling is built into the AI model API: you define functions the model can call. MCP is a protocol layer between the AI client and external tools. MCP servers are &lt;strong&gt;reusable across clients&lt;/strong&gt;; function calling is tied to one API. Think of MCP as a standardized way to do function calling that works everywhere.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;What about latency? Does MCP slow things down?&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Minimal overhead. The stdio transport is essentially free. Main latency is in your tool&amp;rsquo;s actual work (API calls, DB queries). Go&amp;rsquo;s sub-millisecond startup helps.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Can I use MCP without Go?&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Absolutely. TypeScript and Python have great SDKs. Protocol is language-agnostic.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;How do I handle authentication for remote MCP servers?&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Actively being worked on in the spec. Current draft adds OAuth support. For now, most MCP servers run locally (stdio), which sidesteps the auth problem. For remote servers, see the MCP OAuth Guide.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Should I use Skills or MCP?&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Both. Skills teach the agent &lt;em&gt;how&lt;/em&gt; to use tools: knowledge and workflows. MCP gives the agent &lt;em&gt;access&lt;/em&gt; to tools it couldn&amp;rsquo;t otherwise reach. A Skill might say &amp;ldquo;always check logs before metrics when debugging&amp;rdquo;; an MCP server is what actually connects the agent to your logs.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;How do I test an MCP server?&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Three layers. &lt;strong&gt;One:&lt;/strong&gt; contract tests using the MCP SDK, which verify your server follows the protocol. &lt;strong&gt;Two:&lt;/strong&gt; MCP Inspector for manual exploration. &lt;strong&gt;Three:&lt;/strong&gt; for production-grade testing, statistical frameworks like Tenkai measure impact across multiple runs, because LLM interactions are non-deterministic. Running once isn&amp;rsquo;t enough.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;Thanks for reading. If you build something, I&amp;rsquo;d love to hear about it: &lt;a href="https://twitter.com/abtris"&gt;@abtris&lt;/a&gt; · &lt;a href="https://github.com/abtris"&gt;github.com/abtris&lt;/a&gt; · &lt;a href="https://ybyr.net"&gt;You Build It, You Run It Podcast&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;</content:encoded></item></channel></rss>