Claude Code MCP Server Data (2026)
When you connect Claude Code to external services through MCP servers, you’re opening doors that go both ways. A well-configured MCP server can read files, query databases, call APIs, and interact with your development environment. But without proper security measures, these same capabilities become vectors for data exfiltration. This guide covers practical patterns for securing your MCP servers and preventing unintended data leakage.
Understanding the Data Exfiltration Risk
MCP servers operate as bridges between Claude Code and external systems. When you install a skill like pdf or frontend-design, these skills may depend on MCP servers to function. The problem: once an MCP server has access to your files, environment variables, or API credentials, that access can theoretically be misused either through misconfiguration, compromised prompts, or adversarial prompts injected through conversation context.
Data exfiltration in this context means unauthorized transmission of sensitive information from your environment to external destinations. This could include:
- Source code being sent to third-party APIs
- Environment variables containing API keys being logged or transmitted
- File contents being copied to external services
- Database queries returning sensitive records that get forwarded elsewhere
The risk increases when MCP servers have broad filesystem access or network capabilities, which many default configurations do.
Principle of Least Privilege for MCP Servers
The foundational security principle applies directly: each MCP server should have only the minimum access necessary to perform its function. If you’re using the tdd skill for test-driven development, it needs file read/write access to your test directories, but it doesn’t need network access or environment variable visibility.
Create separate MCP server configurations for different skill categories:
{
"mcpServers": {
"filesystem-limited": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem"],
"allowedDirectories": ["/projects/src", "/projects/tests"]
},
"memory-readonly": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-memory"],
"readOnly": true
}
}
}
By restricting allowedDirectories, you prevent MCP servers from accessing sensitive paths like ~/.ssh, ~/.aws, or project directories containing credentials.
Input Validation and Sanitization Patterns
When building custom MCP servers or skills that process external data, validate everything that could become a data exfiltration vector. The supermemory skill, for example, processes notes and memories that might contain sensitive information. Implement validation at the MCP server level:
Example input sanitization for custom MCP server
import re
import os
class SecureInputValidator:
SENSITIVE_PATTERNS = [
r'AKIA[0-9A-Z]{16}', # AWS keys
r'ghp_[a-zA-Z0-9]{36}', # GitHub tokens
r'sk-[a-zA-Z0-9]{48}', # OpenAI keys
]
@staticmethod
def scan_for_secrets(text: str) -> bool:
for pattern in SecureInputValidator.SENSITIVE_PATTERNS:
if re.search(pattern, text):
return True
return False
@staticmethod
def sanitize_path(path: str, allowed_base: str) -> str:
resolved = os.path.realpath(path)
allowed = os.path.realpath(allowed_base)
if not resolved.startswith(allowed):
raise ValueError(f"Path {path} outside allowed directory")
return resolved
This pattern prevents accidental transmission of credentials that is pasted into conversation context. Skills like slack-gif-creator and canvas-design that accept user input should implement similar checks.
Network Segmentation and Firewall Rules
For MCP servers that require network access, restrict outbound connections to known endpoints. If your mcp-builder skill needs to interact with specific APIs, configure firewall rules or use container networking to limit what destinations it can reach:
macOS: restrict outbound connections via pfctl
block out quick on en0 proto {tcp, udp} from any to any port {80, 443} \
except to {api.example.com, registry.npmjs.org}
Alternatively, run MCP servers in isolated containers with explicit network policies. Docker Compose configurations can enforce this:
services:
mcp-server:
image: your-custom-mcp-server
networks:
- mcp-internal
dns:
- 8.8.8.8
environment:
- ALLOWED_HOSTS=api.example.com,github.com
networks:
mcp-internal:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/16
Audit Logging and Monitoring
Implement comprehensive logging for all MCP server interactions. Track which skills access which resources and flag unusual patterns. The internal-comms skill demonstrates a useful pattern: logging every external API call with timestamps and data summaries:
// Audit logging for MCP server
function logMCPAccess(skillName, action, resource, timestamp = new Date()) {
const logEntry = {
timestamp: timestamp.toISOString(),
skill: skillName,
action: action,
resource: resource,
// Hash sensitive content for debugging without exposure
resourceHash: crypto.createHash('sha256').update(resource).digest('hex')
};
fs.appendFileSync('/var/log/mcp-audit.jsonl', JSON.stringify(logEntry) + '\n');
}
Review these logs regularly. A spike in filesystem access from a skill that typically doesn’t read files, or network calls to unfamiliar domains, can indicate a problem.
Skill-Specific Recommendations
Different skills present different risk profiles. Here’s a quick reference:
- pdf, pptx, docx, xlsx: These document skills often process files containing sensitive data. Restrict their filesystem access to specific directories and implement file type validation.
- frontend-design, canvas-design: These visual skills may call external APIs for assets or fonts. Verify that any external calls go to trusted CDNs.
- tdd: Test-driven development skills need write access to test files but should have read-only access to production source files in sensitive projects.
- algorithmic-art: Generally low risk since it primarily generates output, but verify that any image processing doesn’t transmit data externally.
Building Secure Custom Skills
When creating your own skills that integrate with MCP servers, embed security requirements in the skill definition itself. Use the capabilities field to explicitly declare what the skill can and cannot do:
---
name: secure-document-processor
description: Process documents with security constraints
allowed_tools:
restricted_paths:
network_allowed: false
log_access: true
---
This declarative approach makes security requirements visible and enforceable.
Regular Security Audits
Schedule periodic reviews of your MCP server configurations and installed skills. Check for:
- Skills with overly broad filesystem permissions
- MCP servers that can access environment variables containing secrets
- Unused MCP servers still running
- Skills from untrusted sources
Remove unused skills and servers. Each active integration is a potential attack surface.
Summary
Preventing data exfiltration through Claude Code MCP servers requires a defense-in-depth approach. Apply least privilege principles to MCP server permissions, validate and sanitize all inputs, segment network access, maintain audit logs, and regularly audit your configurations. By implementing these patterns, you can safely use powerful skills like pdf, tdd, frontend-design, and mcp-builder without exposing your sensitive data to unnecessary risk.
The convenience of MCP-powered skills shouldn’t come at the cost of security. Take time to configure access controls properly, and your development workflow will remain both productive and secure.
Find the right skill → Browse 155+ skills in our Skill Finder.
Related
Configure MCP → Build your server config with our MCP Config Generator.
Try it: Estimate your monthly spend with our Cost Calculator.
-
claude mcp list command guide — How to use the claude mcp list command to manage MCP servers
Related Reading
- Claude Code MCP Server Setup: Complete Guide 2026
- MCP Servers vs Claude Skills: What’s the Difference?
- Claude Code Permissions Model Security Guide 2026
- Claude SuperMemory Skill: Persistent Context Explained
- Advanced Claude Skills Hub
Built by theluckystrike. More at zovo.one