The connector had permissions.
That may become the more useful way to think about MCP risk. Not because MCP is bad, and not because every agent workflow is a disaster waiting to happen. The sharper issue is that agents become powerful when they can reach tools, files, repos, SaaS apps, and internal workflows.
That reach has to move through something.
When that “something” is a connector with delegated authority, tool metadata, OAuth grants, and registry trust behind it, the security question changes. The model may get blamed, but the connector may be where access quietly became real.
Prompt injection is the loud part. Trust brokerage is the part worth watching.
Read the full AlphaHunt analysis.