This session introduces the Model Context Protocol (MCP), an open protocol designed to standardize how AI applications connect to external data sources and tools, complementing Retrieval Augmented Generation (RAG) by addressing interface fragmentation and enabling more sophisticated agentic AI systems.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
Hola SAP developers, welcome to this
session part of the the 12S 2025
integration trend. Before we start,
please feel free to drop us your
questions on the chat window as we'll be
monitoring it and we will answer some of
your questions there, some of your
questions live. If not, then we will
have a a session section at the end for
Q&A. Uh today we have Vadim who you
might know already uh from previous Leto
Fest. He's been a speaker at uh Lto Fest
before for the two times that uh there's
been an integration track before and
he's here with us today uh delivering
the last session part of the integration
track this year. Uh we're we're
definitely leaving the best for last. Uh
and well that's it. Without any further
delay or vadim over to you.
>> Thank you Antonio and hello to
everybody. Um
uh my name is Vim Kimov and uh I was a
speaker at pasttoberfest uh sessions and
also I was uh I was attendant listener
of all the sessions uh all years for the
fest. So literally I was with the fest
from from its introduction. Uh thank you
for having me here. Um I uh specialize
in SAP technologies in SAP integration
technologies in particular. So currently
I work on PTP uh platform for customer.
Uh but my heart is uh with integration
technologies and uh this is where I
would like to introduce the session uh
for your attention and talk about uh AI
integrations. So we are going to talk
about how AI applications can be
connected in a unified way uh with the
different uh external data sources and
tools. So this is all about uh MCP in
the session
and before we dive into the topic I
would like to introduce the agenda. So
we will start from the problem
definition. So why at all we need
something new uh in here. Then we will
talk about what MCP
um stands for, how it works, um some
some basic and common things that will
be required for us to progress and we
will go into some demo. We will see how
it works. And last but not least, we
will look into challenges
uh so that we have a more complete
picture about what MCP can introduce and
where we can benefit from it and where
And we start from introduction, we start
from the problem. So as it's very common
for le language models, um they are
nowadays very powerful but the knowledge
is still limited. So even though the
training data sets get extended and
advanced still there is certain cut off
for the knowledge that LM knows and
that's the date beyond which LLM itself
will not know what what happened. uh there.
there.
So LLMs are useful but there is this
restriction of the knowledge cutff and
to address that as a result as a result
we have some outdated answers that uh AI
applications can generate and also uh
those applications are commonly not able
uh to extract information uh which is
very domain specific or which resides in
corporate internal systems or relates to
some private uh data because commonly
that's not part of uh LN um models um
data sets.
So we need to solve it somehow and some
time ago the retrieval augmented
generation or rock for short was
introduced which allows retrieval and
pre-processing of data from the variety
of data sources and then this uh data
can be augmented into the LLM prompt and
then even though LLM itself wasn't
trained on that data it becomes aware of
that data which is of great help and now
we have quite a lot of rug based
solutions out uh
but then we come to the problem of
interface fragmentation. So now we have
the mechanism how we can reach uh uh
current data uh realtime data and
internal data private data but we have
to reach it in variety of formats and uh
communication protocols. So uh this adds
the complexity when we want to scale it
up and uh when we have the heterogeneous
landscape of the variety of data sources
and the interface fragmentation this is
where the integration u colleagues may
get excited because now we need to solve
the problem of how we can unify that.
So firstly we need to figure out how we
can stand standardize the interface that
AI applications uh can use to connect to
external data sources and also as a next
step we need to have something uh that
can be used as the foundation for
agentic systems because agentic AI
systems although they don't mandate that
but they really can advance and progress
and scale when we have this kind of
mechanisms. Um this is not to confront
retrieval augmented generation. It's
more to complement it. So it's not the
competitor to it's the
technology that is yet to help. And uh
moreover uh one of them can exist
without another. So we can easily have
something uh to connect to real time uh
to external data sources and that will
not be rug based or also rug based
systems uh not necessarily requiring
some unified mechanisms to connect to
external data sources. So now we have
this question and as you might have
guessed um we now have the answer or we
have the mechanism how we can address uh
that question and that is called model
context protocol or MCT for short.
We will look now uh at MCP at a glance.
So MCP is the open protocol. So it was
introduced by entropic in November last
year. So very soon it will be one year
old. It's quite recent technology
and the intention of it is to
standardize the the way how LLM
applications can connect to external
data sources and tools and it was
inspired by language server protocol by
the protocol uh which is used by modern
ids when they want when they need to
have language specific uh features
access to language specific features
it's client server protocol it's
agnostic from languages and from frameworks
frameworks
and it's entirely based on JSON RPC. So
the message format uh is not something
new. It's based on quite battle tested
format that that we may know from along
case and we have out of the box two
transport um communication mechanisms.
So the first one is for local it's based
on standard input output and the other
one is for remote invocations. That one
is based on streamable HTTP.
In the past we had the option to use
serverside events and we still can use
it technically but uh that was uh
superseded by streamable HTTP and now it
was duplicated from the standard plus if
we are not satisfied with these two
options we can develop custom u
transport mechanisms
maybe it's not that common but still
it's technically possible
speaking about adoption as I said it was
introduced quite recently in November
last year but since Then we saw quite
intense adoption of of this protocol by
the ecosystem by PKA companies, big tech
companies. Uh we could evidence that a
lot of SDKs were released for different
languages and I just mentioned few of
them here. Uh those which are official,
some of them were developed by entropic,
some of them were developed by other big
companies which you can see here. And
the ecosystem keeps growing.
when I tell uh when I talk about ecosystem
ecosystem
um there is no one single u number for
MCP clients and MCP servers that are out
there available but there are some
researchers which suggest that in
February this year so literally a couple
of months after the release of MCP
specification there were more than
thousand u MCP servers released and in
August this year there were already more
than 10,000 of MCP service released and
uh the number keeps growing. So a lot of
big companies, smaller companies,
clients uh they create MCP servers on
top of uh assets which they have already.
So we will have a quick look into the
architecture. So when we talk about MCP,
we commonly will have a local host where
we have some AI application. this AI
application it can be AI assistant think
of like cloud desktop or uh development
development copilots or digital assistants
assistants
uh which talks to LLM.
Now we have some data sources and those
can be either local running on the same
host or maybe it's a file on the file
system or um some other process that
runs on the local host or those can be
remote services. So maybe this is an API
exposed by the external service or maybe
it's database which resides elsewhere
or file storage that resides outside um
of the local host. Now we need to find
the mechanism how we can plug them in
the AI application and for that as a
part of MCP specification. Uh it
suggests that we can uh develop or we
can use if it has been already developed
and released uh the MCP server which
acts as a middleware and acts as a proxy
in front of the data source being a
local data source or remote data source.
This MCP server the way how it
communicates with the data source it's
uh specific to the data source. So it
can be a file system call operating
system call it can be HTTP call uh to
some API it can be database call or any
way that the MCP server can use to
programmatically access data and
resources which the data source exposes.
So this is hidden and obstructed from
the AI application. It's the
implementation details of the MCP serve
can be some open industry standard
technologies. It can be something very proprietary.
proprietary.
What MCP serve exposes? This is what uh
is agnostic technology wise agnostic
from the data source. And this is where
the unification comes in.
And in the EI application we have MCP
client. MCP client establishes the
connection with the MCP server using um
the model contact protocol the unified
protocol in this way AI application
doesn't need to know how to reach data
source so it only needs to know how to
reach the MCP server in the unified way
and then all the rest is implemented by
now we come to the life cycle so as I
mentioned it's a client server uh
technology so we have MCT client which
is a part uh which is a part of the
application and we have the MCT server
that can be run locally or remotely and
exported as a service. Uh the initiation
of the connection always happens by the client
client
um and after the connection handshake um
has been uh completed and was successful
uh the MCP server and MCP client
negotiate of which capabilities are
available. So what capabilities they can
um use we will come to this in a moment
and after that we come to the operation.
So operations part is the major part of
the that is used uh by the AI
application. This is where MCP client
can access uh tools resources. It can
access prompts on the MCP server and
also uh it can get notified about uh
changes which happen. For example, MCP
serve can notify MCP client about the
data object that was retrieved by MCP
client but it which was updated after that
that
and after uh the work is done uh if we
would like to terminate or to shut down
the connection the shutdown can happen
from can get initiated by either sites.
So it can be the server who shuts down
the connection it can also be the client
who shuts down the connection. For
example, we uh quit clog desktop or or
another client. Uh and this is transport
specific. So it can be termination of
the process if it's local or it can be
uh HTTP uh transport shutdown if it's uh remote.
We just briefly talked about a few
primitives and these are components
which uh primitives that lie at the head
of MCP server client server
communication. uh those are resources,
tools and prompts. Very commonly we will
hear about tools because tools this is
the most the largely used primitive
amongst uh these three uh uh the tool is
the function. We can think of it as the
function that is exposed by the MCP
server and that can be called by the MCP
client. The function can be to read
something to fetch some data or the
function can be to create or update or
maybe the function exposes some logic
which is exposes the access to some
logic execution maybe some calculation
or so. Uh so for the function it's model
controlled. So uh LLM model that is used
by the AI application makes the decision
based on tools which were advertised by
the MCP server and which has been
discovered by uh the LM through the MCP client.
client.
Uh LM makes decision of which tool to
call and with which arguments parameters
depending on user or workflow input for
example based on the prompt that the
The other primitive is resource.
Resource we can think of it as text or
binary data. It's not function. It's not
logic that is implemented there. It's
data which is exposed and usually it's
read only access. So we cannot create or
update it. For example, a good example
for that can be uh we have some entity
for example employee record or material
record, product record or sales order
record and we would like to retrieve uh
it just to fetch data about it. So
that's example of uh resource to some
extent we can map it to a rest architecture
architecture
where we have resources and those
resources are always uniquely
addressable by the URI. uh this makes
them quite uh nicely resonating to rest
uh architecture and those are
application controlled. So the AI
application determines uh which resource
it wants to retrieve data about not LLM
anymore. And the last one is prompts.
prompts or prompt templates. They are
predefined messages or struct structured
messages which allow the client
uh to better understand how it can
interact with MCP server. So that's
something that is user controlled and
that's something that we can commonly
see in uh for example coding assistance
where we have uh uh slash comments.
uh so that's something that helps to
drive communication and uh to make the
the use of most most commonly tools more
uh precise. So for example it can help
us drive which arguments must be filled
uh for the specific invocation of the
tool based on those which are exposed by
or acceptable by the tool.
So these are primitives but this is not
the only functionality that MCP exposes.
There are some others. I will not go
into details for this but just for your
awareness uh we have some features which
can be implemented by the MCP client and
we have some others which can be
implemented by the MCP server and there
are some others which are common. Those
features are intended to help uh MCP
client and MCP server communicate more
accurately. So for example uh
subscription to notifications
or uh the client may decide to expose
parts of its file system so that MCP
server can have access uh can have
access to it or the MCP server may
request sampling so that it better knows
how how to uh to run the tool.
pagenation from performance perspective.
Uh completion so that we can help uh
complete argument values. Uh logging
which is quite common thing so that we
can log what happens on the MCP server
and return it back to the client. And
there are some common features like for
example we can have progress tracking if
there is some long-lasting operation. We
can cancel the request which can be
triggered by the client or by the server
and ping test so that we can check the
general health of the counterpart. So
MCP client can check if MCP server is
still alive and vice versa. So these
additional features in my personal
experience they are implemented to a
lesser extent in MCP servers that I
worked with but it's nevertheless worth
knowing about them so that uh we can see
if we need to tweak something or if we
need to add extra functionality then we
we know that what kind of other features
are available. Um these features and
primitives they are well described in
the MCP specification for which we had a
link a couple of slides ago. Um and uh I
really encourage you if you would like
to read about them uh in more details to
refer to the specification because specification
specification
um it offers not only more detailed view
on that but also they provides exact
examples in uh for JSON in JSON PC
format about how this communication may
look like between MCP server and MCP
client. And good news uh SDKs for MCP
they commonly would already uh implement
that and will offer uh APIs um as an
abstraction layer to make the developer
life easier if they would like to
implement it. Um
Um
we are done with features discussions
and now I would like to show you in
action how it how it works. So what I
will do is
I will have the CPI integration with
tenant with CPI enabled. There we can
see that there are some packages some of
them are uh standard content from SAP
and some others were custom developed
and let's take the example where we
would like to have the digital assistant
I will use clot desktop in here and we
would like to to interact with it uh and
fetch data from that CPI tenant. So at
the moment uh CPI offers public APIs
which can be used and which are used by
quite a number of tools to extract data
and to upload data into the CPI tenant.
But if we ask if we are in the space of
working with the EI tool and we ask the
EI tool about something related to the
CPI tenant I will put it in here. it
will not know anything because the LLM
doesn't know what is inside the CPI
tenants that I have and I use trial
account for that. So what it does is it
provides some very generic statements
about how we can access it but no
further details.
Uh before we progress I just want to say
that in these demos I will use cloth
uh other digital systems as well. So
those which uh support uh MCP which
means that those which have MCP client
implemented in it and quite a number of
um digital assistance and coding
assistance they already do support MCP
quite broadly. So it's the disclaimer is
that features which I will describe here
they are not cloud specific quite a lot
of them uh we can uh uh see and we can
use in other tools. So the the reason I
use clot is mostly because I use it as
my primary tool in uh development
activities uh when I need to have some
AI uh capabilities but I could have used
something different in here. So we see
that the answer is quite generic. It
doesn't really expose anything from the
CPA tenant. Uh what we will do now is uh
we have the digital assistant uh cloud
desktop. It has MCP uh client
functionality in there but it doesn't
yet know how to talk to the MCP server
and firstly we also need to uh to get
MCP server for that. So MCP server I
implemented for uh for this um in go so
I have the project which has been
published to GitHub. So it's open source
and it's publicly accessible. If you
want you can have a look into it and you
can use it and I will be really happy if
you provide your comments about it. So
uh we have the project uh which
implements the MCP server for some
artifact types u uh in CPI and entirely
uses public APIs which also means that
we cannot fetch some data for example
about the internals of the artifact like
for example message processing steps um
but we can uh fetch information about
integration packages integration flows
script collections value mappings um and
so on and so on. So this MCP server it's
implemented it's compiled in the binary
but I also wrap it in the docker image
and I will run it as a docker container
and we will come a reason why I do so
when we talk about challenges uh
technically we can run it as a binary as
well and uh there are a lot of MCP
servers written out there in different
languages in Typescript JavaScript in
Python in Go you can develop it in Rust
if you want or in few other languages.
So what we need to do is in the first
part of the demo I will start the MTP
server locally. So I have cloud desktop
running on my machine. I will also start
uh the server on on this machine. For
this one I firstly need to instruct
cloud desktop how to start the MCP
server or which parameters have to be
passed and how to interact with that. So
for that one I will go to the cloud config.
config.
Let me just pull the file in here.
It's something that you can access
from cloud settings as well from here
in developer. If you use some different
uh digital assistant
just please check the documentation uh
either which file it has to be added or
in which menu uh path you can access it.
And there are also some registries from
where you can pull uh those MCP servers
and they they can offer uh quick install
uh functionality depending on which
agent you use or which uh desktop agent
use or which uh ID use. For example, if
you use VS code or uh something different.
different.
So what I will do now is I go to the
config file. Now MCP service is empty.
I added configuration for the MCP server
for CPI. So it runs in the docker. It
could have been any other comment that
the local machine can start. So it can
be invocation of the binary file or
NodeJS runtime. We can pass some
arguments in here. I say uh docker for
which im container for which image has
to be started and configuration
parameters for this uh MCP server uh
which are the way how uh which instruct
to which CPI tenant uh the MCP server
shall be connected uh they are provided
um in the environment file. So this no
secret I will open it in here.
So this except the last one uh this
first four parameters they are mandatory
because they define uh the endpoints and
client and decline secret uh to interact
with uh CPI. The last one I will need to
change it further in the demo. So I just
provide it in here. It instructs uh
which protocol we're going to use. So do
we use transport for local or do we use
HTTP? Uh there are some other parameters
which have been documented in the GitHub
repository of this project. So that you
can control LO level, you can control uh
LO file location, you can define what is
the maximum concurrency uh that MCP
server will use for calls uh that are
sent to the CPI endpoints, what is
timeout. So those are predominantly uh
to change login behavior and also to
have some drop link between MCP server
and CPI so that MCP server doesn't um u
generate excess number of uh API calls.
Here we go. We add it in uh cloud uh in
configuration in here. So I will save it
and what I will do is I will exit desktop
desktop
and I will test again. I will just start
that so that it picks up
Here we go. So we can see that uh clot
recognized that we now have a new MCP server
server
in uh dock desktop. I can see that we
have now a new container. So that one
was started by cloud desktop at startup.
So now we have the MCP server running.
We have cloud desktop running. And now
we c we can select which tools given
that the MCP server exposes multiple
tools. We can select which tools we
would like to enable. So we can be
selective and we can dis disable those
which we don't need. And I will come to
the point why it may be useful. In
extreme case we can enable all of them
if we want. For this demo, I will only
need to search for packages and forlows.
Eyeflows which are available at design
time and those which are available at
runtime, those which have been deployed.
So I will disable tools which are
related to search for script
collections, for value mappings, for
message mappings etc. And now what we
will do is we will just repeat the
prompt that we sent previously. So that
we literally just uh send exactly the
same prompt once again. And now you see
that the answer is different. So now it
invokes um cloud desktop invokes the
tool. So it from the prompt it
recognized that I want to get
information about if flows which were
developed by uh by myself and I want to
get some information about it. So it
will fetch information. It will look for
those which have been developed by me
and it will present I asked just some
attributes so that we are not flooded
with uh information. Um and here we go.
We have a list of flows per package in
couple of test packages which I created
in advance
which is good fine we can get it from
web UI as well. So now we come to the
second point. So we found if flows now
we want based on that understand if we
have any drift between design time and
runtime. So now what we do is we ask can
we see if there are can we identify if
there are any flows which have been
deployed to runtime but for which
versions differ from the design time
and there are some good cases so for
example it's a development or it's this
one is trial environment so we can
actively work on some flow and the
version at design time may be higher
than at runtime which is fine or
acceptable for development or trial
accounts it can be another version
uh that runtime artifact has higher
version than the design time artifact
and this is more boring and let's see I
created examples for both of them let's
see if cloud desktop will be able to
pick this up so we can see that it
recognized that the prompt asks for
runtime artifacts so now at first it
looked for integration packages and
integration flows design time now it
tries to fetch information about runtime
And here we go. So there were some ifs
which exist in design time. I haven't
deployed them to runtime. There are some
ifs which were deployed and the versions
are the same and a couple of flows which
I deliberately drifted between design
time and runtime. So one option is where
one flow is where design time version is
higher than runtime which is as I said
acceptable for development environments.
The other one is boring where design
time is lower the runtime. This means
that we deployed something to the
runtime which is not yet known at design
time or we uh confused versions uh for
some reason we overritten the version at
design time with a lower version. So
this is how we quickly were able to spot
that there is something uh which uh
which can be identified as a drift and
we can think of some other prompts some
other use cases uh where we can use it.
So we can analyze the tenant, we can uh
we can compare uh uh and so on and so on
and we can build up we can enhance those
tools as far as we have the way to
programmatically extract this
information from the CPI tenant we can
enhance it. Technically we can create
tool which also will update something in
the CPI tenant.
That's the demo for the cloud desktop
and this is where we used the tool. Now
what we will use is uh I will I will
open another tool uh clo code
and using the same MCP server. So I will
that one is my great helper for
development. So I really like cloud code
uh for to help me with development
activities and what it has it also has
sub agents uh concept and to prepare for
this demo I created two agents our small
guests which are also on this session uh
which will help us to demonstrate how we
can embed the use of MCP server into the
agentic flow. So what we have is let me
just quickly show you. So we have uh two
sub agents which I created. The first
one is CPI collector. So this one uses
the MCP server which we have just seen
uh in cloud desktop connected to the
cloud desktop. So it knows how to
extract data from the CPI tenant via the
MCP server but it's not opinionated
about is this data compliant. So uh is
configuration compliant or not? So it
knows how to extract data now how not
how to do something with this data how
to assess the quality of this data and
we have CPI reviewer sub agent it
doesn't know how to extract data how to
fetch data from CPI but what it knows it
knows some best practices um standards
guidelines so it can review that content
for example integration packages and it
can provide a view about whether it's
compliant with the guidelines or whether
it's not in the real life These sub
agents could have been combined into
one. So maybe we could have had
something like CPI inspector which does
both. But for in sake of this demo I wanted
wanted
uh to split them into two so that we can
see how these agents how we can make
this agentic flow more uh interactive so
that we have couple of agents and we
talk to them. Another uh disclaimer here
is I don't use for for the sake of this
demo I don't use the orchetrator agent.
uh so that we don't have a single agent
that orchestrates invocations of other
sub agents here I will do it manually
just to show what is the actual
communication flow that we have so
technically we could have built an
orchestrator agent and then whatever
happens under the hood will be
transparent for us as a user so what we
will do is firstly uh
firstly let me ask the collector uh sub
agent to extract information about
integration packages is so what it does
under the hood is it invokes the MCP
server and here I also use local comm
connection. So what we will see is uh we
have another uh docker container which
was created one was created because of
cloud desktop using MCP server and
another one was created by cloud code.
So now cloud code uh via the MCP server
or sub agent of cloud code uh accesses
CPI tenant fetches the data and in a few
seconds we shall see the output. Yeah,
here we go. So it found MCP server
provided via the tool uh information
about packages which are out there. So
we have 10 packages which are
prepackaged content and we have two
custom packages. And now what we want to
do is we want to check whether they are
compliant with the naming conventions as
an example. So what we will do is we
will take we will ask the reviewers at
agent can you have a look in the
integration packages and highlight those
which do not comply with our standards.
uh when I say our standards what I did
is I uh used SAP um naming con uh those
uh naming conventions for CPI uh
integration packages which you can find
in SAP help and I created uh the agent
uh with awareness of those standards. So
both agents uh they uh the way how they
were designed is each of them is uh is
created as a markdown file and in the
markdown file we define what the agent
specializ sub aent specializes in what
kind of uh checks it has to do what kind
of actions it has to do and so on and so
on and for example for CPI collector uh
we also instructed of which tools it can
invoke in the MCP server so that for
example reviewer cannot access MCP
server It's very restricted. It doesn't
have access to uh external tools. U the
collector has reviewer only can assess
the information which is fed to it. So
now the reviewer does not make a call
because a reviewer is not allowed to
make um MCP tool calls. It acts on the
data which uh collector sub agent provided.
provided.
And here we go. This is the outcome of
the reviewer. So we see that um it
completed it. It highlighted that there
are no issues with the names for CPA
standard content for standard packages
but what it says is test package A and
test package B are not good idea for for
integration packages. Uh so really uh
this is just for demo piece but it's not
something that we would like to see in
production environment and it provided
some other recommendations about what we
shall consider um to refactor those
names and what is considered to be a
good uh practice. Again those best
practices they are referenced in the sub
agent definition and they are based uh
on SAP um recommendations.
So this is another example where we have
MCP server plugged in into the agentic
flow with segregational duties. So
different sub aents they are allowed
only to access some um some functionalities.
functionalities.
>> Vim I I want to ask a quick question
here just because I see missing company
prefix there and and you have that
identifier VKLM. Did you define that within
within
how how did it generate that VKLM? Did
you define it somehow? No. Uh this one
it was uh generated by uh the sub agent.
Uh so in the sub agent definition what
it says is that uh the naming convention
for the integration package optionally
can be prefixed with a company prefix uh
which can be of three four letters uh
length. But uh that that's a very good
question. So let me
u um B agents human
human
that's the definition of the agent and
it's very basic so it it's not
comprehensive in sense that I didn't
modularize it so I didn't externalize
naming conventions which which would
have been a good practice uh for real
life use but in here there is naming
conventions section this part uh which
is based on SAP help documentation And
this is where you can see uh what the
sub agent considers as a good naming
convention. And then it's uh it says
that optionally we can have uh uh prefix
and some others which are mandatory
elements of the um uh integration
package name. So are the examples is
something that the sub agent created and
produced in the output on top of of
instructions and conventions that it was
told to follow or it was told to review
and uh to assess
>> is I just find it so interesting that it
actually end up suggesting V KLM you
know uh like it it knows you
but it's it's so interesting I don't
know and and in the response sounds like
it was consistent everywhere where it
was uh defining that company identifier.
So yeah that that's very interesting. Sorry
Sorry
>> it's uh you know for some some of them
we can put examples like it's in here
but for some others it was either
creative or it hallucinated in the way
that uh resonated with the context very
well. So yeah,
>> I'm not sure which which of these I'm
more leaning towards, but uh you see
that part of the output was truly uh the
creativity of the sub agent and the LLM
uh that was used uh behind the scenes uh
for that. Um I will close this part. So
that's that's another example where you
can see and if I rerun it, it's probable
that it will create some other examples
or it will rephrase. So it will still
stick to the naming conventions that we
defined or constraints that we defined.
uh but given that it's nondeterministic
output then u each each next run may
produce slightly different uh output
although the overall um idea shall
remain the same and the more precise we
can define the sub aent the more
accurate it will produce the output and
this is where I will not uh drift from
our main topic but when we develop sub
aents we can really modularize them we
can have some uh corporate naming
corporate guidelines We can have
industry standard guidelines or
guidelines specific to the particular
area like for example for groovy
development or JavaScript development.
And then we can let the sub agent know
in which files to look for specific uh
or in which destinations to look for
specific parts of those uh constraints
or guidelines so that we can really uh
make it modular and reusable and we can
reuse some assets which we already have
in the organization. For example, if we
have guidelines and if we use them in
other tools, we can also reuse them in
the sub agent. So that sub sub aent will
So that was the example how we could
plug this in into the aentic flow and uh
this was still the local execution. What
we will do now is we will do the similar
thing but remotely. So another option is
we can run
uh the MCP server remotely. So what I
will do for this is firstly I will make
sure that we stopped everything and the
docker engine is clean all good and now
in the configuration
uh in here I will just change it from
local stdio to http. So now we can start
now it's not the uh cloud desktop or
cloud code that will start it for us
automatically but we have to start it
manually and for this one I will use um
since it's running in docker so I will
so now it's in http mode and we shall
see that now the new container was
started and now it's uh listening on
8080 port
which is okay. So we have the still it
runs on local machine. Hypothetically I
could have started it somewhere else
remotely in some other service. Uh now
we want to access it. So I will not
access it directly from the local
machine. I will expose it to the public
internet so that we can see that uh this
service could have been run uh
elsewhere. And for this one what I will
do is
let me just open it
in here.
I will use nro for that. Uh so that I
have the tunnel just for demonstration
purposes. So that I have the tunnel that
will expose the public endpoint for the
locally run HTTP server which is our MCP
server. So I started the container with
MCP server. listens on on the port
locally but it's not yet exposed to the
internet. So what I do is
I run the tunnel. So now we shall see it
in the browser as well.
Let me refresh it.
Here we go. So the end point now this
endpoint it's publicly accessible. So
now we can call it from the internet
from the outside and we can also see it
from here. So what we will do is now we
will add it to CL desktop just rather
than add it adding it in here I will
remove the part that is about local
connection so that we go to square one
and let me start
started.
You can see that we don't have CPI tool anymore
CPMCP server and tools uh that it
exposes. They are not there anymore. So
now we will go to connectors at custom
connector. And now we will add
/ MCP. We will add the link uh where the
MCP server uh is accessible. And this
link as I said it's accessible over the
public internet. So it could have been
run elsewhere. We added
oh sorry my bad link in here and I will
put CPI as the name of the server in here.
Done. So now it's connected.
What we can do now is we go to new chat.
We see that CPI
now it's not local CPI but it's the MCP
server that runs even though it runs
remotely
like demo some problems let's see what happens
happens
uh let me activate for example get
let me see if I can succeed with
So now you see that it now accesses
again the MCP server.
Yeah. So it was successful. So now it
was the from cloud desktop perspective
it accessed the MCP server via the
public internet. So it doesn't know that
it runs locally and it was already up
and running by the time we started cloud
desktop. So cloud desktop connected to
the existing remote MCP server in here
and we see that it was successful in
fetching information about all the 12 uh
packages um in the tenant. That's
example how we can access it remotely.
That's it for this part. Let me stop it
So we saw how we could uh spin it up and
run it locally and we saw how we can
access remote MCT service which is
great. We have quite a lot of new tools
in our toolbox.
But uh now we come to the challenges and
considerations part. So MCP server is
great but it comes with its own um other
side of the coin and I will start from
those which are more governance and uh
monitoring aspects. So those which are
related to the life cycle management. I
will not go into each of them but we'll
just uh talk about them in big blobs. So
we have the discovery aspect. It works
well when we have just a few u MCP
servers. But if you think we can run
tens or hundreds of MCP servers and we
could could also have access to remote
ones, then the existence of MCP registry
becomes quite critical
uh somewhat similar to the API developer
portal. So something where we can
discover and we can have uh a registry
of those MCP servers which exist and uh
we can have some mechanisms to audit
that and we also have to have the
mechanism for active discovery for those
so that we can discover hidden gems MCP
servers that run in the infrastructure
but for some reason are not registered
in the MCP registry deployment aspect.
So we have to decide where we run, how
that infrastructure is secure, how it's
scaled, how we manage secrets and so on
and overall monitoring. So it's very
critical that especially for production
environments uh uh we need to track
which tools of which MCP service were
invoked by which agents and uh execute
uh and monitor execution of those tools.
We have to keep track of resource
consumption and anomaly detection. For
example, if there was any spike in the
call of some tool or unusual activity
related to some arguments passed to some
tool or maybe a consequence or sequence
of tools execution, some chaining of
tool executions that is not uh normal
for the use case.
The next one is performance and that's
not only about the technical performance
to a large extent that's also about the
performance of and accuracy of responses
that we can get. So the first big
challenge is that a model can be
confused if there are too many tools. So
it's uh tool overload situation
especially if tools have similar names.
So for example we have a tool called get
order in one MCP server and we have get
order in the other MCP server. just one
tool is about sales order and another
one is about uh purchase order. So if
the description and examples are not
accurate enough or absent uh that the
model may get confused about which tool
to use or which arguments to pass to
that tool. Uh that's a reason why in my
demo I was specific about that was one
of reasons uh why in the demo I selected
specific tools that I wanted to use and
not all tools uh from the MCP server.
The other one is context distraction.
That's about so-called uh destruction
syndrome. So if we bring a lot of data
in the context and effectively responses
from MCP tools, they are brought into
the context of of the model. Uh if the
context is cluttered, for example, we
have a lot of data which is irrelevant.
So we don't need it, but for some reason
it's contained in the response of the
tool, it may be confusing for the model.
And as far as we progress with our
conversation and we may invoke other
tools and they bring other information
into the context uh the context may
start drifting from the original uh uh
road and then we the response quality of
of the agent and of the model uh will degrade
degrade
and as a result it may be inconsistent
and we may see more and more hallucinations.
hallucinations.
Then the next one is probably technical.
It's about window overflow. So each
model even modern models who have large
context windows they still are limited
and depending on what kind of format we
use even what kind of language we use.
Uh we uh can have a penalty which is
called token text uh token text which
sometimes is related to some human
languages which are more talkative. So
they require more boards uh and which
require more tokens uh from the model uh
to interpret them. Uh sometimes it's
about the format. So for example, as you
know XML is more verbose format and it
will require more tokens commonly than
JSON. And this is where we can think
about which format we would like to use
when we bring it into the model. um and
truncation risk um uh so if the model
exhausts its uh context window because
we brought a lot of data into context
window for example we were interested
just in the package ID and version and
author but we inh we brought into the
context all attributes available for the
integration package and rather than
searching for specific couple of
packages we fetched all packages which
are available in CPI tenant and then
started to filter them uh in in in the
context so um the context uh can be
become exhausted and model may start
truncating uh the old content as a
result again we may have inaccurate responses
responses
and backend overload so if MCP server
doesn't implement any throttling we have
a risk that uh um the amount of
invocations of tools or the way how
tools are invoked uh may result quite
severe resource drain on the back end up
to the national service.
And the third section which is the most
concerning uh to to many people is
security. You see there are a lot and
lot of security threats and vectors of
attack in here that we must consider uh
before we um onboard MCP servers
especially if they are related to
production data to sensitive data and so
on. uh a huge section is about tools
integrity. This is where we have a
plethora of different ways how we can
compromise MCT tools. The most common is
tool poisoning. So we can infuse some um
bad instructions for example in the
description of the tool and so on and
then the LLM model will be confused with
that and it will try to execute actions
which it's not supposed to execute with
the normal conditions with the normal
operations of the tool. Then we have
examples of tool squing and tool
impersonation and rockpulls. These are
generally related uh to the situations
where we either introduce bad actor MCP
server bad actor MCP tools. So tools are
named similarly to u root tools but
those tools they implement some bad act
logic and those tools may be invoked by
uh the LLM. Uh if those MCP servers are
connected or rock pools when we trust
some MCP server and you could probably
see that in one of screens in cloud
desktop it asked me to explicitly allow
invocation of the pool. Quite commonly
users will click uh click allow um not
once but always allow so so that they
are not bothered about repeating the
step next time and then the tool may be
replaced uh or the MCP server may be
replaced by the bad actor with wrong uh
with a bad implementation
and then the user the system trusts that
tool and invokes the code and invokes
instructions uh which are now malicious
or cross tool contamination. That's
another vector of attack which is quite
popular where this where tool poisoning
in one tool can impact the other tool
not only in this MCP server but in other
MCP servers because when the agent
starts uh it discovers all tools
available. For example, we have five 10
MCP servers connected and we have the
11th one which is poisonous MCP server
which has uh poisonous tools with bad
actor descriptions and which can
contaminate activities that uh good MCP
servers good tools execute. So for
example uh in one of those tools the
description can say that for all tool
executions LLM needs to send data
somewhere or to execute something else.
Then we have context integrity that's
about prompt ejection and context
poisoning. So this is where not only the
tool description or tool data uh can be
brought into the context which is
malicious but also uh for example
responses of MCP server data sources
they can be poisonous. As an example the
MCP server may invoke API which brings
back some data and some of those data
records are poisoned. So they contain
hidden instructions
that LLM will interpret and will try to execute.
execute.
Um and then we have context clashes and
as a result hallucinations.
Another big thing is data leakage
because MCP servers they become quite
powerful tool but also quite a powerful
way to exfiltrate data to extract data
from data sources and potentially leak
it uh to the bad actor. We have a lot of
questions about identity and access
control. So this is where we talk about
how we can access the MCP server. So
whether the access to MCP server itself
is protected and how we manage uh
authentication and authorization between
MCP server and the back end. Do we use
principal propagation? Do we use some
impersonated uh uh tokens, API keys or
maybe client ID, client secrets? So how
safe they are and how overexposed they
are to the consumer
uh and how we manage those secrets.
Privilege escalation sandbox escape
that's one of reasons why I executed the
MCP server in the docker container not
just as a binary on my host because uh
that's another vector of attack where
the MCP server may be used to execute
something for example on the host which
is malicious. So generally it's called
sandbox escape where the application is
instructed or tries actively tries to
execute activities which is which it's
not intended uh to do network
communication insecure connections. So
my example is MCP server was started as
HTTP using HTTP on the local machine. So
it exposed HTTP endpoint which is not
secure protocol. We did wrapping into
HTTPS when we created the tunnel with
the help of MRO. So when somebody
accessed it uh for example cloud desktop
access it from the public internet it
accessed via HTTP but we can see MCP
servers that use HTTP um HTTP and may
expose HTTP to the internet combined
with the risk of being insecure from
authentication perspective. So
unauthenticated access and combined with
the access to some private data this may
be a really dangerous uh combat. And the
last one that I could think about is
resource abuse. And here I'm not talking
about the targeted denial of service. So
the bad actor, malicious actor may
intentionally try to use MCT server as
the proxy to uh to bring the back end to
the dural of service state for example
by invoking the tool too many times or
provoking the tool to make too many
calls to the back end. But also another
attack which is more financial uh angle
which is called denial of wallet. So now
a lot of backend resources live in the
cloud and deployed in the cloud. MCP
servers themselves can can run in the
cloud as well. So those are like
microservices. Um uh and
even though we may not struggle with
technical performance the cost of that
uh attack may be quite high. So we can
drain cost or we can increase spike
costs because of too intense use of MCP
server or two too intense use of the
back end when the MCP server calls it.
So the n of wallet is also another
growing vector of attack and MCP servers
unfortunately they are also vulnerable
may be vulnerable for that. So now when
we talked about security about the
challenges we also had some ways to
mitigate them. The first one is think of
MCP server as a lightweight layer
between your AI application and your
back end or data source. So it has to be
light. We do not we are not expected to
implement complex logic in there. The
second one is we have quite a number of
really powerful generators that can
produce MCP service tools for them on
top of existing APIs. We can take rest
API, scope API and generate MCQ server
on top of it. There are a lot of use
cases where it's valid and it's very
helpful. But also think of those
challenges we talked about like uh
context clustering and so on. Um think
what are use cases for that tool in MCP
server and what data is required from
the MCP tool. So is it really the
entirety of data that rest API response
or we need to make some truncation some
aggregation also
when we talk about rest APIs they are
mostly resourcecentric and nowadays
quite a lot of MCP servers they create
tools out of those resources but think
about resource primitive so that's more
relevant even though the challenge that
not all MCP clients support resources
and consequently it's commonly required
to create a pool not a resource primit
primitive for uh backed rest APIs and
now our focus is not only on the prompt
but also on context engineering. You
have seen from the challenges that a lot of challenges are related to how we can
of challenges are related to how we can compromise uh how we can poison context
compromise uh how we can poison context that becomes quite or how we can
that becomes quite or how we can overload context.
overload context. So that all brings us to the challenge
So that all brings us to the challenge that we need to think about how
that we need to think about how responses of MCP tools are created in
responses of MCP tools are created in terms of number of records filters uh
terms of number of records filters uh fields which are returned even formats
fields which are returned even formats which changed
which changed um and we have some optimization
um and we have some optimization techniques. So we can have map produce
techniques. So we can have map produce technique or chunking so that for
technique or chunking so that for example we can run some operations in
example we can run some operations in parallel and use multiple contexts
parallel and use multiple contexts rather than a single context and then uh
rather than a single context and then uh pre-calculate and aggregate those
pre-calculate and aggregate those results in the main context. The good
results in the main context. The good example is when we use different um sub
example is when we use different um sub aents
aents uh and next one we come to a lot of
uh and next one we come to a lot of considerations about security. So I
considerations about security. So I spent lots of time talking about
spent lots of time talking about challenges. We also have mitigation
challenges. We also have mitigation points. The first and very critical one
points. The first and very critical one is something that is called little uh
is something that is called little uh trifecta. So that's the term that was
trifecta. So that's the term that was introduced to collectal collectively
introduced to collectal collectively refer to the threat when the tool or the
refer to the threat when the tool or the agent MCP server in our case as well has
agent MCP server in our case as well has access to private data for example
access to private data for example access to CPA tenant. It's exposed to
access to CPA tenant. It's exposed to untrusted content. We don't have control
untrusted content. We don't have control over data in the data source for example
over data in the data source for example and ability to externally communicate
and ability to externally communicate for example not only we have the MCP
for example not only we have the MCP server to fetch data from the CPI tenant
server to fetch data from the CPI tenant but we also have the tool uh from
but we also have the tool uh from another MCP server or from the
another MCP server or from the capability of the AI agent to send
capability of the AI agent to send emails to invoke some operating system
emails to invoke some operating system comments or to persist data in files in
comments or to persist data in files in some external storage. So this uh uh
some external storage. So this uh uh trio becomes quite dangerous and our
trio becomes quite dangerous and our intention must be to see how we can
intention must be to see how we can break this trio. So how we can make sure
break this trio. So how we can make sure that one of these uh elements of the
that one of these uh elements of the triangle is not present and is uh or is
triangle is not present and is uh or is controlled
controlled multi- aent systems. Another way how we
multi- aent systems. Another way how we can mitigate the risk so that we don't
can mitigate the risk so that we don't bring everything to one context. So we
bring everything to one context. So we have proper segregation of duties
have proper segregation of duties between agents which agent is allowed to
between agents which agent is allowed to call which tools and uh uh operations
call which tools and uh uh operations and we have the whole uh uh element of
and we have the whole uh uh element of guardrails. So there are frameworks for
guardrails. So there are frameworks for that where we can sanitize inputs and
that where we can sanitize inputs and outputs from the model. So we can be
outputs from the model. So we can be more accurate about which data comes
more accurate about which data comes into the model as a result of calling
into the model as a result of calling MCP tool. We can have some filters and
MCP tool. We can have some filters and what is produced by the model before it
what is produced by the model before it reaches the agent
reaches the agent in here. It's also critical to think
in here. It's also critical to think about instruction hierarchy. So we can
about instruction hierarchy. So we can have some instructions in the system
have some instructions in the system prompt. Some instructions come from the
prompt. Some instructions come from the user in the user prompt. We can have
user in the user prompt. We can have instructions which are embedded in tool
instructions which are embedded in tool descriptions, tool implementations or
descriptions, tool implementations or poisonous data in the data source which
poisonous data in the data source which may also have hidden instructions. um if
may also have hidden instructions. um if they all were executed with the same
they all were executed with the same privilege it would be really a danger
privilege it would be really a danger and to address that danger um modern
and to address that danger um modern LLMs they have the concept of
LLMs they have the concept of instruction character so they have
instruction character so they have different trust levels to instructions
different trust levels to instructions coming from different layers for example
coming from different layers for example the most untrust one of the most
the most untrust one of the most untrusted layers is data that we extract
untrusted layers is data that we extract from the data source because we can have
from the data source because we can have lots of data there and potentially
lots of data there and potentially poisonous so instruction in there shall
poisonous so instruction in there shall not override for example system
not override for example system instruction of the LLM which has the
instruction of the LLM which has the highest privilege or the instruction of
highest privilege or the instruction of the tool which has lower privilege than
the tool which has lower privilege than the system instruction in the LLM but
the system instruction in the LLM but has high in privilege than uh uh the
has high in privilege than uh uh the instruction contained in the tool
instruction contained in the tool response and for critical ones always
response and for critical ones always put human in the middle so that human
put human in the middle so that human has to take active action to approve
has to take active action to approve those things. So security first approach
those things. So security first approach is very critical in here. As I
is very critical in here. As I mentioned, authentication and
mentioned, authentication and authorization mechanisms, how we access
authorization mechanisms, how we access MCP and how MCP server accesses uh the
MCP and how MCP server accesses uh the back end, they are critical. And for
back end, they are critical. And for this one, there is the whole section in
this one, there is the whole section in MCP specification which talks about the
MCP specification which talks about the use of extended or
use of extended or uh which talks about the use of dynamic
uh which talks about the use of dynamic client registration
client registration and observability which I also mentioned
and observability which I also mentioned uh makes u uh makes importance in here.
uh makes u uh makes importance in here. Um as the ecosystem grows now the
Um as the ecosystem grows now the critical uh the uh the criticality of
critical uh the uh the criticality of existence of registries and gateways for
existence of registries and gateways for MCPs similarly to what we have for APIs
MCPs similarly to what we have for APIs grows as well and there are different
grows as well and there are different vendors which already offer the
vendors which already offer the solutions. So some of them are registry
solutions. So some of them are registry solutions to actively discover agent uh
solutions to actively discover agent uh to register MCP servers to be able to
to register MCP servers to be able to discover available tools and to document
discover available tools and to document them. Some others are gateways to
them. Some others are gateways to enforce some policies uh before the
enforce some policies uh before the tools are invoked. So you can have I
tools are invoked. So you can have I just put a few examples in here and
just put a few examples in here and watch the space because for SAP
watch the space because for SAP integration suite there is a road map
integration suite there is a road map item for API management for the next
item for API management for the next year where we shall have uh a feature
year where we shall have uh a feature related to MCP to MCP server generation.
related to MCP to MCP server generation. watch the space uh uh SEP integration
watch the space uh uh SEP integration suite also progresses in in that
suite also progresses in in that direction
direction and um as a conclusion for
and um as a conclusion for considerations you you may have noticed
considerations you you may have noticed that MCP server is yet another microser
that MCP server is yet another microser a lot of good practices and tooling that
a lot of good practices and tooling that we use for microservices observability
we use for microservices observability monitoring security
monitoring security uh administration uh it's all relevant
uh administration uh it's all relevant to a large extent is relevant in here as
to a large extent is relevant in here as well. So if the organization already has
well. So if the organization already has some proven techniques for microservices
some proven techniques for microservices uh administration uh just reuse them in
uh administration uh just reuse them in here they are quite handy.
here they are quite handy. That is from my side and
That is from my side and as a conclusion I would like to just to
as a conclusion I would like to just to reiterate once again that hopefully uh
reiterate once again that hopefully uh you saw uh from this presentation from
you saw uh from this presentation from other materials or uh that MCP really
other materials or uh that MCP really helps to streamline AI to data
helps to streamline AI to data integration. So it really helps us to
integration. So it really helps us to bring data from external data sources
bring data from external data sources into the context of LLMs and to expand
into the context of LLMs and to expand the knowledge of LLM with real uh data
the knowledge of LLM with real uh data with internal data. But there is always
with internal data. But there is always but there are also quite a lot of
but there are also quite a lot of challenges. These challenges a lot of
challenges. These challenges a lot of them they are not MCP specific. lot of
them they are not MCP specific. lot of challenges that we discussed in
challenges that we discussed in performance space in uh life cycle uh
performance space in uh life cycle uh management space especially in security
management space especially in security space they are by no means unique to MCP
space they are by no means unique to MCP but MCP and the more intensively MCP
but MCP and the more intensively MCP service and MCP technology is used it
service and MCP technology is used it amplifies those risks and it introduces
amplifies those risks and it introduces a new ways how we can exploit
a new ways how we can exploit those risks
from my side >> also Awesome. Awesome. Uh thank you very
>> also Awesome. Awesome. Uh thank you very much um for for your presentation with
much um for for your presentation with him. Uh there was uh uh some interaction
him. Uh there was uh uh some interaction in the chat. Uh some some of the
in the chat. Uh some some of the questions I was able to answer. There
questions I was able to answer. There were some positive comments of well as
were some positive comments of well as well obviously like a very interesting
well obviously like a very interesting CPI use case uh that you could have used
CPI use case uh that you could have used uh API management and cloud connector to
uh API management and cloud connector to expose an internal host uh to public
expose an internal host uh to public internet instead of uh enrock. Uh yeah
internet instead of uh enrock. Uh yeah that's true. It's also possible. You can
that's true. It's also possible. You can do so much with the MCB server lately,
do so much with the MCB server lately, right? uh and yeah there's I guess
right? uh and yeah there's I guess there's so much potential uh regarding
there's so much potential uh regarding regarding the functionality that for
regarding the functionality that for example you can extend in an LLM uh by
example you can extend in an LLM uh by leveraging um
leveraging um uh MCP service right uh now
uh MCP service right uh now and this is um this is not a question
and this is um this is not a question from the audience but it's just my
from the audience but it's just my curiosity on uh on um on what your
curiosity on uh on um on what your thoughts are about the following. So we
thoughts are about the following. So we in in the examples that he show right
in in the examples that he show right it's like we are using
it's like we are using cloud right uh from anthropic um and uh
cloud right uh from anthropic um and uh obviously it's the main proponent of uh
obviously it's the main proponent of uh the MCP uh of MCP right they created the
the MCP uh of MCP right they created the protocol as such um and uh and you also
protocol as such um and uh and you also touch on for example remote MCP servers
touch on for example remote MCP servers and lots of the problems uh that you
and lots of the problems uh that you highlighted which are all correct um uh
highlighted which are all correct um uh involve some type of remote activity. So
involve some type of remote activity. So I'm wondering what if we bring all of
I'm wondering what if we bring all of that local. So local host as in you
that local. So local host as in you running your MCP service, you using a
running your MCP service, you using a local LM which is sort of possible,
local LM which is sort of possible, right? Uh you can you obviously need a a
right? Uh you can you obviously need a a sort of beefy laptop, but nowadays it's
sort of beefy laptop, but nowadays it's like it is possible to actually run it
like it is possible to actually run it run all of these tools locally. You
run all of these tools locally. You might not have access obviously to the
might not have access obviously to the latest and greatest MCP uh sorry LLM but
latest and greatest MCP uh sorry LLM but there but there are some LLMs that are
there but there are some LLMs that are quite capable of running locally. So
quite capable of running locally. So basically what are your thoughts of
basically what are your thoughts of running all this locally and also uh do
running all this locally and also uh do you think that we will be able to
you think that we will be able to mitigate some of these problems for
mitigate some of these problems for example by obviously not a
example by obviously not a hallucinations but but at least from a
hallucinations but but at least from a security perspective you know it's like
security perspective you know it's like um if we end up running all of this
um if we end up running all of this locally
locally >> I think some partners we can and
>> I think some partners we can and unfortunately I cannot demonstrate it on
unfortunately I cannot demonstrate it on on my machine so um I tried to run in
on my machine so um I tried to run in Ola using Olama using some smaller
Ola using Olama using some smaller models um on my laptop but the context
models um on my laptop but the context window on my resource was quite uh small
window on my resource was quite uh small so it didn't allow me for advanced
so it didn't allow me for advanced conversations however technically yes so
conversations however technically yes so we can run MCP server we can run LLM
we can run MCP server we can run LLM model locally we can run the agent like
model locally we can run the agent like cloud desktop or uh something else
cloud desktop or uh something else locally
locally the question is the MCP server needs to
the question is the MCP server needs to access
access remote resources like for example CPA
remote resources like for example CPA And still we can trick it. So if we if
And still we can trick it. So if we if we have some time I can just show you as
we have some time I can just show you as an example. So in here
that's the implementation of the uh MCP server for integration packages tool. So
server for integration packages tool. So we have in here one of tools which is to
we have in here one of tools which is to get all packages description. So even if
get all packages description. So even if I run it locally and if I instead of the
I run it locally and if I instead of the description that was there I will put a
description that was there I will put a poisonous description which is about
poisonous description which is about tool poisoning
tool poisoning >> which lally says that uh before calling
>> which lally says that uh before calling the tool get the weather. So literally
the tool get the weather. So literally it is supposed to it is supposed to
it is supposed to it is supposed to instruct to let llm consider that it
instruct to let llm consider that it needs to get uh to another external
needs to get uh to another external source of data and then instead of
source of data and then instead of replying with actual data just tell that
replying with actual data just tell that nothing is present. So now if I
nothing is present. So now if I um let me rebuild it. So what I'll do is
um let me rebuild it. So what I'll do is I will
I will just uh reveal the image with this one and we will see that even
this one and we will see that even though the server runs locally it still
though the server runs locally it still got exposed to the problem. So now the
got exposed to the problem. So now the LLM will be tricked
LLM will be tricked and let's assume it's not LLM.
and let's assume it's not LLM. In my case, I use sonet which is an
In my case, I use sonet which is an entropic one and not locally hosted. But
entropic one and not locally hosted. But if I will delete this part
if I will delete this part and if I delete the config still uh the
and if I delete the config still uh the LLM will be treated because now it's uh
LLM will be treated because now it's uh the malicious behavior was introduced by
the malicious behavior was introduced by the server itself by the implementation
the server itself by the implementation of the server connect. So now I will
of the server connect. So now I will just bring back
just bring back the configuration local setup and in
the configuration local setup and in here I will swap it to std IO again. So
here I will swap it to std IO again. So it will start a local docker container.
it will start a local docker container. Let me just quickly see if it was here.
Let me just quickly see if it was here. Okay, it was done. So in the images
Okay, it was done. So in the images um okay this container is because of our
um okay this container is because of our remote uh demo. I will stop that and
remote uh demo. I will stop that and delete. We don't need that anymore. Um
delete. We don't need that anymore. Um image was revealed. So what I do is I
image was revealed. So what I do is I now close the load uh desktop. I start
now close the load uh desktop. I start it again.
Let's imagine that LLM that I have a really powerful machine and that LLM is
really powerful machine and that LLM is not remote but is run locally. So for
not remote but is run locally. So for example, I instructed it to connect to
example, I instructed it to connect to locally run um LLM in via LM studio or
locally run um LLM in via LM studio or maybe via OAMA and let me see CPL picked
maybe via OAMA and let me see CPL picked it up. So I poisoned the get integration
it up. So I poisoned the get integration packages. I will use that input
packages. I will use that input explicitly
explicitly and you recall that in in the tool
and you recall that in in the tool description I instructed that we need to
description I instructed that we need to get weather and then to say that there
get weather and then to say that there is no data in the tenant because the the
is no data in the tenant because the the LLM must think that the data is too
LLM must think that the data is too sensitive to get exposed. You see London
sensitive to get exposed. You see London weather that call it wasn't present in
weather that call it wasn't present in the demo at the beginning of the session
the demo at the beginning of the session because it wasn't there and now uh the
because it wasn't there and now uh the tool was poisoned in the way could tweak
tool was poisoned in the way could tweak LLM think that it really need to get
LLM think that it really need to get weather from London because otherwise
weather from London because otherwise something will not work and even though
something will not work and even though packages data was retrieved by the tool
packages data was retrieved by the tool >> thought LLM concluded that well the tool
>> thought LLM concluded that well the tool description says that I'm not allowed to
description says that I'm not allowed to expose this information so I say that no
expose this information so I say that no integration packages were
integration packages were And that's the example. You see it was
And that's the example. You see it was very quick example. So I it didn't take
very quick example. So I it didn't take long time to to poison it. Uh it's
long time to to poison it. Uh it's in here it's quite visible. But on the
in here it's quite visible. But on the other hand if I go just go in here and
other hand if I go just go in here and if I go to some examples
smuggler. So there is the way how we can take this
So there is the way how we can take this instruction.
instruction. I'm I'm just copy copy pasting that
I'm I'm just copy copy pasting that instruction and we can set uh we can
instruction and we can set uh we can encode it to unprintable uh characters
encode it to unprintable uh characters in uni code. So now
in uni code. So now I go back to
I go back to I change this but
I change this but I say get integration packages.
I say get integration packages. But this time I also insert
But this time I also insert that one. I copy pasted it from the
that one. I copy pasted it from the smuggler. That's one of a text that can
smuggler. That's one of a text that can be used when the text is included in ask
be used when the text is included in ask characters which are not printable. They
characters which are not printable. They are still here but they are not
are still here but they are not printable. So they are not visible to us
printable. So they are not visible to us except that this icon because I used in
except that this icon because I used in the smuggler I selected so that end
the smuggler I selected so that end start and end step are still provided.
start and end step are still provided. So as a result some smart editors can
So as a result some smart editors can alert it but we don't see the text
alert it but we don't see the text anymore. How uh however LLM will will
anymore. How uh however LLM will will get it because LLM will be able to
get it because LLM will be able to decode it. It's still a sequence of as
decode it. It's still a sequence of as key characters.
key characters. Good news well shall I say good news is
Good news well shall I say good news is that still it's visible to us to some
that still it's visible to us to some extent. So if we go to hex editor and if
extent. So if we go to hex editor and if we search for description in here
we search for description in here [Music]
[Music] >> you see
>> you see >> yeah there is
>> yeah there is >> pl text in here
>> pl text in here >> in here it's not present oh well it's
>> in here it's not present oh well it's present sorry it's not it's present but
present sorry it's not it's present but it's not visible it's not printable to
it's not visible it's not printable to us but
us but >> if I look into here
>> if I look into here >> in description we have get integration
>> in description we have get integration packages but then we have whole lot of
packages but then we have whole lot of thing that is not visible in printable
thing that is not visible in printable range of as key characters but we have
range of as key characters but we have hex codes in here and if now I copy
hex codes in here and if now I copy paste it and decode it back to uni code
paste it and decode it back to uni code I will be able then for example using
I will be able then for example using the same website for asi smuggling or
the same website for asi smuggling or other tools uh I will be able to um
other tools uh I will be able to um create a sequence back from hex codes
create a sequence back from hex codes into asi characters which are
into asi characters which are nonprintable into what is the printable
nonprintable into what is the printable version of it so we definitely see from
version of it so we definitely see from here that there is something in the file
here that there is something in the file and we can decode
and we can decode But it's not visible not now anymore.
But it's not visible not now anymore. what the visible part is quite innocent
what the visible part is quite innocent but with integration packages and that's
but with integration packages and that's the example where I was quite quick to
the example where I was quite quick to poison the tools
poison the tools >> in here to instruct the LLM firstly uh n
>> in here to instruct the LLM firstly uh n react to content it faced from the tool
react to content it faced from the tool faced from CPI and also to get access or
faced from CPI and also to get access or to try to get access to the external
to try to get access to the external resource like to check the where the
resource like to check the where the focus
focus >> um and still the MCP server was running
>> um and still the MCP server was running locally.
locally. >> Yeah. No, that that is very true like uh
>> Yeah. No, that that is very true like uh that that's a very good example. Marin
that that's a very good example. Marin says so LLM needs to inspect the MCP
says so LLM needs to inspect the MCP servers first to check for malicious
servers first to check for malicious code. uh but you know so in the end like
code. uh but you know so in the end like at least the way that I see for example
at least the way that I see for example this FCP servers for example this like
this FCP servers for example this like you end up uh downloading it locally and
you end up uh downloading it locally and running it locally then it's similar to
running it locally then it's similar to for example any let's say node package
for example any let's say node package that you end up uh installing for
that you end up uh installing for example for your project right like in
example for your project right like in the end you sort of in reality not not
the end you sort of in reality not not that we do uh uh it's not just an npm
that we do uh uh it's not just an npm install x but you also need to be aware
install x but you also need to be aware of what's in that package right so this
of what's in that package right so this will be the similar approach, right?
will be the similar approach, right? Yeah.
Yeah. >> Cool.
>> Cool. >> Think of supplying chain risks. So, will
>> Think of supplying chain risks. So, will we trust the vendor? So, what is inside
we trust the vendor? So, what is inside especially if it's compiled or for
especially if it's compiled or for example there is a docker image which
example there is a docker image which was shipped and we need to know what is
was shipped and we need to know what is inside of that docker image or and if
inside of that docker image or and if it's compiled binary that what actually
it's compiled binary that what actually it does it have any malicious
it does it have any malicious instructions or some poisoned tool
instructions or some poisoned tool descriptions. The the challenge here is
descriptions. The the challenge here is that when the AI agent starts and when
that when the AI agent starts and when the information about tools is loaded uh
the information about tools is loaded uh into LLM context, it's the descriptions
into LLM context, it's the descriptions as well that are loaded. So it become a
as well that are loaded. So it become a they become a part of the context. So
they become a part of the context. So they are not stored separately. They
they are not stored separately. They become a part of the context. So if I go
become a part of the context. So if I go in here and if I just start let me start
in here and if I just start let me start float again.
started. So if I go to context, um it's pretty much empty or not empty but
it's pretty much empty or not empty but it's very small amount of data in here.
it's very small amount of data in here. But if I would have invoked some uh data
But if I would have invoked some uh data through the MCP tool, we would see more
through the MCP tool, we would see more messages coming from here. Even now we
messages coming from here. Even now we see that the context there are some
see that the context there are some system prompts but also there are this
system prompts but also there are this one uh MCP tools.
one uh MCP tools. >> Yeah. So you see this part it's already
>> Yeah. So you see this part it's already sitting uh it already sits in the
sitting uh it already sits in the context and MCP tools here is not only
context and MCP tools here is not only about the name of the tool and MCP
about the name of the tool and MCP server that provides that as a part of
server that provides that as a part of startup as a discovery of which tools
startup as a discovery of which tools can be used but also things like tool
can be used but also things like tool description it also becomes a part of
description it also becomes a part of the it gets added to the context so that
the it gets added to the context so that LLM it's done for a good reason because
LLM it's done for a good reason because um an MCP tool descriptions can be
um an MCP tool descriptions can be descriptive enough to help LLM better
descriptive enough to help LLM better understand whether it needs to call this
understand whether it needs to call this tool or not in certain use cases and it
tool or not in certain use cases and it can contain some examples uh for MCP
can contain some examples uh for MCP tools usage uh so that LLM can better
tools usage uh so that LLM can better understand how when to call the tool and
understand how when to call the tool and how to call the tool but as an example
how to call the tool but as an example that I provided here tool poisoning
that I provided here tool poisoning quite often vector of attack is we can
quite often vector of attack is we can poison the description of the tool
poison the description of the tool >> very
>> very >> even though server runs locally
>> even though server runs locally >> already poisoned so already we are in
>> already poisoned so already we are in the trouble mode
the trouble mode >> yeah uh yeah that's true okay well you
>> yeah uh yeah that's true okay well you I'm conscious of time and we run past 20
I'm conscious of time and we run past 20 minutes. So uh thank you very much for
minutes. So uh thank you very much for well you know what sharing all your
well you know what sharing all your expertise as part of uh this session. It
expertise as part of uh this session. It was fantastic honestly. Uh and would you
was fantastic honestly. Uh and would you mind just
mind just >> just one last moment we where you we may
>> just one last moment we where you we may find some examples. So recently and last
find some examples. So recently and last week entropic released entropic agent
week entropic released entropic agent skills. It's a separate area. I will not
skills. It's a separate area. I will not talk about it now. It's very useful
talk about it now. It's very useful interesting area but in the repository
interesting area but in the repository for entropic skills there is one skill
for entropic skills there is one skill which is MCP builder and in the
which is MCP builder and in the reference documentation entropic
reference documentation entropic published MCP best practices. So that's
published MCP best practices. So that's intended for LLMs for auto generation of
intended for LLMs for auto generation of MCP servers but some things that we
MCP servers but some things that we discussed including some security things
discussed including some security things you can really get it in here. It's it's
you can really get it in here. It's it's it's condensed format but it provides
it's condensed format but it provides quite a lot of aspects also security
quite a lot of aspects also security related how a good MCP uh server shall
related how a good MCP uh server shall look like from entropic perspective. So
look like from entropic perspective. So sorry for for getting into that's the
sorry for for getting into that's the last bit of information that I wanted to
last bit of information that I wanted to show just as a reference uh document
show just as a reference uh document that's another source where we can read
that's another source where we can read more about guidelines for MCP server
more about guidelines for MCP server development and also about security
development and also about security aspects.
aspects. Okay, actually that's uh that wasn't uh
Okay, actually that's uh that wasn't uh under my radar, so I'm just trying to
under my radar, so I'm just trying to get to the URL so I can end up sharing
get to the URL so I can end up sharing it with everyone on the chat. Uh that
it with everyone on the chat. Uh that was quite good. Uh thank you very much
was quite good. Uh thank you very much uh for sharing this uh and I just put it
uh for sharing this uh and I just put it uh on the chat. Um War if you use MPX
uh on the chat. Um War if you use MPX config in MCP config for your ID this
config in MCP config for your ID this update automatically. So another thing
update automatically. So another thing that could go wrong. Yeah, there are
that could go wrong. Yeah, there are many things that can go wrong here like
many things that can go wrong here like uh we need to be aware of uh of all of
uh we need to be aware of uh of all of them. So yes uh well thank you very much
them. So yes uh well thank you very much Vim. It was great uh another great
Vim. It was great uh another great session part of the tour as well. So
session part of the tour as well. So thank you very much for delivering it.
thank you very much for delivering it. Um and uh I want to also thank uh the
Um and uh I want to also thank uh the viewer for staying us uh for a bit
viewer for staying us uh for a bit longer. Uh but it was just an
longer. Uh but it was just an interesting session. So yeah I hope you
interesting session. So yeah I hope you all enjoyed as much uh as um as I did. I
all enjoyed as much uh as um as I did. I I learned a lot. So it's great. It's all
I learned a lot. So it's great. It's all about learning as part of the to right.
about learning as part of the to right. So thank you and um really thankful
So thank you and um really thankful Antonio really thank you and sorry for
Antonio really thank you and sorry for taking extra extra time on the session
taking extra extra time on the session but I'm really thankful that you posted
but I'm really thankful that you posted the session and all other sessions
the session and all other sessions >> and it's it's an honor for me to wrap up
>> and it's it's an honor for me to wrap up uh this year's integration track really
uh really really interesting uh thank you for your time and for all
you for your time and for all participants and for all questions for
participants and for all questions for everybody who listened or maybe who will
everybody who listened or maybe who will watch recording uh thank you for your
watch recording uh thank you for your time
time >> thank you thank you all right and that's
>> thank you thank you all right and that's it all See you.
it all See you. >> Take care.
>> Take care. >> Bye. Bye.
>> Bye. Bye. >> Goodbye.
>> I've stopped the live stream. Uh so yeah, we had a peak
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
