Claude's capabilities keep improving, but the security surface of MCP integrations is largely unaudited. 30 MCP CVEs dropped in 60 days earlier this year. Tool descriptions can contain invisible Unicode that redirects agent behavior. Most MCP servers ship with zero authentication. The security tooling hasn't caught up with the adoption curve.