If your business is accelerating with AI and your team is starting to use MCPs, the way you deploy them matters. Running MCP servers locally through commands like npx or uvx might feel convenient, but it can quietly introduce serious supply chain and data exposure risks.

What businesses should do instead

Why local MCP is risky

The biggest risk today is local MCP usage. This is when a user installs an MCP server directly on their machine, often using an install command such as npx or uvx.

That approach effectively pulls an entire software supply chain onto the user’s device. The install configuration can also include instructions that run arbitrary commands. If something in that dependency chain is compromised, the user’s machine becomes part of the blast radius.

We have already seen supply chain compromises affecting widely used packages and projects. If an open-source MCP server pulls in a compromised dependency, simply restarting tools like Cursor or Claude could be enough to load the compromised package onto the machine.

The non-technical user problem

This is especially risky for non-technical users. Many packages sound official, but are actually third-party projects. A user may see something like an MCP package for Slack, assume it is maintained by Slack, install it locally, and unknowingly trust an unknown maintainer with access to sensitive business data.

Local MCP installs turn every employee laptop into a mini integration server, often without the monitoring, controls, or isolation you would expect in production.

The safer model: MCP gateways

Many companies are now moving toward enterprise-grade MCP gateways. This allows teams to use AI agents with proper controls around authentication, logging, data access, and tool permissions.

Instead of giving every user direct access to API keys, local tools, and third-party packages, the gateway becomes the controlled layer between the AI agent and the business systems it needs to use.