"MCP is Dead" — The Cry Echoing Through Silicon Valley

A fierce backlash against the Model Context Protocol (MCP)——the standard protocol announced by Anthropic in November 2024 for connecting AI models to external tools and data sources——is sweeping Silicon Valley. Y Combinator CEO Garry Tan declared, "MCP is honestly bad. It eats up too much of the context window," and publicly stated that a CLI wrapper he built in 30 minutes is "100 times better." Perplexity CTO Denis Yarats announced at the Ask 2026 conference in March 2026 that the company is migrating its internal systems from MCP to REST APIs and CLIs. Pieter Levels tweeted, "Glad MCP is dying. It's an unnecessary abstraction for AI." The technical criticism is serious. GitHub's MCP server exposes 93 tools and injects approximately 55,000 tokens of schema definitions into the context before the user says a single word. Scalekit benchmarks showed that MCP's token consumption for the same task was 4 to 32 times higher than CLI, with monthly costs reaching 17 times more. On reliability, CLI succeeded 25/25 times (100%), while MCP managed only 18/25 (72%). The security situation is even more dire. A critical RCE vulnerability (CVE-2025-49596, CVSS 9.4) was discovered in Anthropic's official MCP Inspector, and mcp-remote contained a command injection vulnerability (CVE-2025-6514, CVSS 9.6) with over 437,000 downloads. Invariant Labs published a demonstration of stealing an entire WhatsApp history via a tool poisoning attack, and MCP rug-pull attacks were confirmed in which tool definitions are silently modified after installation to exfiltrate AWS access keys. An Astrix Security study found that 43% of tested MCP servers had command injection vulnerabilities, 53% relied on insecure static secrets, and only 8.5% implemented secure OAuth authentication. On the other hand, the CLI approach is the "native language" of LLMs pre-trained on billions of lines of terminal interactions, with initialization completing in just 200 tokens. The engineering community's emerging consensus is that "MCP is not dead, but its role is being rightfully narrowed"——it remains useful in enterprise scenarios requiring multi-user authentication and governance, but for solo developers and cost-optimization use cases, CLI and REST APIs are overwhelmingly superior.

What is MCP — The Promise of "AI's USB-C Port"

Model Context Protocol (MCP) is an open-source protocol announced by Anthropic on November 25, 2024. It provides a standardized interface for AI models to connect with external tools, data sources, and services, and is often described as "the USB-C port for AI applications." Technically, it uses JSON-RPC over stdio or HTTP (SSE/Streamable HTTP) as the transport layer.

Before MCP, accessing external tools from AI models required writing custom integration code for each individual tool. MCP promised to solve this "N×M problem" (the combination of N AI models and M tools) through standardization. Momentum accelerated when OpenAI officially adopted MCP in the ChatGPT desktop app in March 2025, and following a first-anniversary specification revision in November 2025 and its donation to the Agentic AI Foundation (AAIF) under the Linux Foundation in December 2025, the SDK reached 97 million monthly downloads, with over 17,000 MCP servers indexed and more than 300 active clients, forming a massive ecosystem.

All major AI providers — Anthropic, OpenAI, Google, Microsoft, and Amazon — supported MCP, and it appeared to have secured its place as the industry standard.

Arguments in favor of MCP — Why it gained support

Proponents of MCP argue for the protocol's value by citing the following advantages.

First, its value as a universal standard. With adoption by all major AI vendors, tool developers can implement an MCP server once and make it available to any AI client. This is a classic argument — analogous to HTTP for the web or USB for peripherals — that protocol standardization dramatically improves efficiency across the entire ecosystem.

Second, a security framework. It incorporates OAuth 2.1-based per-user authentication, scoped permissions, and audit logging. In enterprise environments, a system where each user accesses tools under their own permissions and all operations are recorded is essential, and MCP has standardized this.

Third, ecosystem scale. Figures of 97 million monthly SDK downloads, over 17,000 servers, and 143,000 executable AI components suggest that network effects have already passed a critical threshold.

Fourth, vendor-neutral governance. By being donated to the AAIF under the Linux Foundation, it has been freed from control by Anthropic alone and has become a shared asset for the entire industry.

These arguments are, on the surface, compelling. However, in early 2026, criticism emerged from the front lines of the engineering community, claiming that these promises were diverging from reality.

"MCP is honestly terrible" — Y Combinator CEO Garry Tan declares

In March 2026, frustration with MCP in Silicon Valley suddenly came to the surface.

One of the catalysts was Garry Tan, CEO of Y Combinator. Tan publicly stated, "MCP sucks honestly. It consumes too much of the context window, and you have to toggle it on and off constantly," and reported that he had vibe-coded a CLI wrapper that was "100x better" in just 30 minutes. It was unusual for the CEO of one of the world's largest startup accelerators to criticize a protocol so directly, and it sent ripples throughout the startup ecosystem.

Around the same time, Perplexity CTO Denis Yarats announced at the Ask 2026 conference that Perplexity was moving away from MCP for its internal systems. Yarats cited the fact that tool schema overhead was consuming 40–50% of the available context window, and that authentication complexity was creating implementation friction. He stated that MCP support would continue only for limited use cases (e.g., accessing Perplexity search from Claude Desktop). The announcement went "crazy viral" on X.

Serial entrepreneur Pieter Levels tweeted, "Glad MCP is dying. It's as useless an idea as llms.txt. AI is as smart as humans, so it should just use what's already there — APIs."

These voices were not isolated opinions. A blog post titled "MCP is dead. Long live the CLI," published on February 28, 2026 by infrastructure engineer Eric Holmes, reached the top of Hacker News, and its argument that "LLMs are really good at figuring things out themselves — just give them a CLI and documentation" resonated widely.

"Devouring" the Context Window — The Shocking Disparity in Token Consumption

At the heart of the MCP criticism lies the issue of token consumption. The numbers are shocking.

According to benchmarks conducted by Scalekit in 2026 using Claude Sonnet 4, for a simple task of retrieving a repository's language and license, the CLI consumed 1,365 tokens while MCP consumed 44,026 tokens—a 32x difference. For a task retrieving pull request details and reviews, the gap was 20x; for fetching repository metadata and installation instructions, 9x; for aggregating merged PRs per contributor, 7x. Even the smallest gap—"fetching the latest release and dependencies"—still showed a 4x difference.

The root cause of this disparity lies in MCP's design itself. GitHub's MCP server exposes 93 tools, and approximately 55,000 tokens of schema definitions are injected into the context at session start. Before the user has typed a single word, a large portion of the context window is already filled with tool definitions. One team reported that 143,000 tokens (72%) of their 200,000-token context window were consumed by tool definitions. A database MCP server (106 tools) consumed 54,600 tokens on initialization alone. Analysis using the MCPGauge framework confirmed cases where MCP's context retrieval inflated the token budget by up to 236x.

Translated to monthly costs, for 10,000 operations priced at Claude Sonnet 4 rates, the CLI costs approximately $3.20 while MCP costs approximately $55.20—a 17x cost difference. Even with gateway-based schema filtering, the cost comes to around $5, still far behind the simplicity of the CLI.

"CLI 100%, MCP 72%" — Measured Data on Reliability and Speed

The CLI demonstrates superiority not only in cost, but also in reliability and speed.

In reliability tests, the CLI succeeded 25 out of 25 times (100%), while MCP succeeded only 18 out of 25 times (72%). MCP's 7 failures were caused by TCP-level timeouts to GitHub's Copilot MCP server.

In browser automation benchmarks, the CLI agent's Token Efficiency Score (TES) was 202.1, compared to 152.3 for the MCP agent — a 33% advantage for the CLI. The CLI also recorded a 28% higher task completion score. Even more concerning is that LLM performance shows a negative correlation with context size. The more MCP integrations are added, the lower the accuracy. Tests on Tau-Bench showed that Claude 3.7 Sonnet achieved only a 16% success rate on basic flight booking tasks.

While the CLI completes initialization in 200 tokens, MCP requires more than 10,000 tokens. This difference stems from the fact that LLMs are pre-trained on billions of lines of terminal operation data, making the CLI effectively the LLM's "native language." Given documentation for a CLI tool, an LLM can figure out how to use it on its own. MCP's 55,000-token schema injection is nothing more than a redundant re-explanation of what the LLM already knows.

Security Vulnerabilities Too Severe——A Chain of CVEs

MCP's security issues are more serious than just cost. The number and severity of discovered vulnerabilities suggest fundamental design flaws in the protocol.

CVE-2025-49596 (CVSS 9.4, Critical). Discovered by Oligo Security Research in January 2025, this is a vulnerability in Anthropic's official MCP Inspector development tool. When a developer running MCP Inspector visits a malicious website, DNS rebinding allows arbitrary commands to be executed on the development machine. Unauthenticated remote code execution — the developer's machine is completely compromised. Fixed in version 0.14.1 with session tokens and allowed-origin checks.

CVE-2025-6514 (CVSS 9.6, Critical). Discovered by JFrog, this is a vulnerability in the mcp-remote OAuth proxy. In this package, which had recorded over 437,000 downloads, a malicious authorization endpoint could inject shell commands. There was a supply chain attack risk affecting integrations with Cloudflare, Hugging Face, and Auth0.

CVE-2025-68143/68144/68145. Three chained vulnerabilities discovered in Anthropic's official Git MCP server. Through a malicious .git/config file, combined with the Filesystem MCP server, full remote code execution was possible.

CVE-2025-53109/53110 (Critical). A sandbox escape and symbolic link bypass in Filesystem MCP allowed arbitrary file access and code execution.

CVE-2025-64106 (CVSS 8.8). A vulnerability in Cursor's MCP installation flow that allowed attackers to execute arbitrary commands.

None of these can be dismissed as third-party quality issues — they are all vulnerabilities in Anthropic's official tools or major MCP ecosystem components.

Tool Poisoning and Rug Pulls — The Collapse of Trust Models

In addition to CVE-level vulnerabilities, attack methods targeting the MCP trust model itself have been confirmed.

In April 2025, Invariant Labs published a demonstration of a tool poisoning attack. A malicious MCP server embedded hidden instructions in tool definition descriptions——invisible to users but readable by the LLM——and silently exfiltrated a user's entire WhatsApp history. They also demonstrated "cross-server shadowing," in which a malicious server intercepts and rewrites calls to trusted peers.

Rug pull attacks are even more insidious. MCP tools can modify their own definitions after installation. A tool that appears safe on day one may have transformed into a credential-stealing tool by day seven. MCP clients do not verify the consistency of tool schemas between requests. One confirmed technique involves adding AWS_ACCESS_KEY_ID as a "required parameter" mid-session, causing the LLM to extract the user's credentials and hand them to the attacker.

In September 2025, a fake Postmark MCP server appeared that differed from the legitimate server by just one line of code, BCCing all outgoing emails to an attacker——affecting transactional emails flowing through AI automation pipelines. In October 2025, a path traversal vulnerability in smithery.yaml on the MCP hosting service Smithery exposed a Fly.io API token that controlled more than 3,000 hosted MCP servers.

Security researcher Simon Willison noted, "The curse of prompt injection is that we've known about the problem for more than two and a half years and still have no convincing mitigations," and warned of the "lethal trifecta" in AI agents——access to private data, the ability to take actions, and exposure to untrusted content. Elena Cross quipped, "The 'S' in MCP stands for security"——there is no S in MCP.

A 2025 Astrix Security study quantified the security posture of the MCP ecosystem as a whole: 43% of tested MCP servers had command injection vulnerabilities, 22% permitted directory traversal, 30% allowed unrestricted URL fetching, and 53% relied on insecure long-lived static secrets. Only 8.5% implemented secure OAuth authentication. 36.7% had potential SSRF risk. 492 MCP servers were found exposed with no client authentication and no encryption.

Why the CLI Is Overwhelmingly Superior — An Engineering Perspective

The advantages of CLI over MCP go beyond mere cost reduction. From an engineering perspective, the CLI approach has structural advantages.

Token efficiency. CLI initialization requires approximately 200 tokens. MCP requires 55,000 tokens or more. For the same task, CLI completes with 4 to 32 times fewer tokens. This is because LLMs are trained on billions of lines of terminal operation data and already "know" the meaning and output format of commands like git log --oneline -5. MCP redundantly re-explains in verbose JSON schemas what the LLM already understands — which is inherently wasteful.

Reliability. CLI has a 100% success rate (25/25); MCP has 72% (18/25). CLI commands are mature technology with 50 years of history, and their failure modes are fully understood. MCP is a newer protocol over the network, introducing new failure modes such as timeouts, authentication failures, and schema mismatches.

Inspectability. Unix pipes are the original composability primitive, backed by 50 years of tooling, with each step being inspectable. CLI natively supports piping, chaining, and redirection, making debugging straightforward. The internal workings of MCP servers are a black box, with low visibility into what is happening.

Security. CLI tools run on the local machine with known permissions. MCP connects to arbitrary servers over the network, tool definitions can change dynamically, and the attack surface is orders of magnitude larger. Running git log via CLI means that command will not change into something else the next day. With MCP, that can happen.

Monthly cost. For 10,000 operations: approximately $3.20 with CLI versus approximately $55.20 with MCP. Annually, that is $624 versus $6,624. At scale, the difference runs into the millions of dollars.

Cloudflare independently arrived at this problem and built an alternative approach called Code Mode that operates with approximately 1,000 tokens. Equivalent functionality that required 244,000 tokens with MCP's native schema is achieved with 1/250th of the tokens. An approach where agents generate code and call APIs directly has achieved up to a 98% reduction in tokens compared to MCP.

Thoughtworks Technology Radar Warning

Thoughtworks Technology Radar, an authority in technology consulting, has classified "naive API-to-MCP conversion" as Hold (not recommended for adoption). The approach of converting existing REST APIs directly into MCP servers has been deemed unlikely to produce the expected results. This assessment supports the argument that MCP's value as a protocol is not technical superiority, but rather "sociological" — meaning people use it simply because everyone else is using it.

Tim Kellogg noted that "everything you can do with MCP, you can also do with OpenAPI," and analyzed that MCP's inevitability stems not from technical advantages but from collective adoption — in other words, its value is sociological rather than technological.

Specific Approaches of the Anti-MCP Camp

The camp arguing for moving away from MCP advocates several concrete alternative approaches.

Direct CLI Integration. Eric Holmes's approach — hand the LLM CLI tools and documentation, and let it figure out the rest. 200-token CLI initialization vs. MCP's 55,000+ token schema injection. LLMs are trained on billions of lines of terminal operations, and the CLI is their "native language."

Direct REST API Calls. The approach adopted by Perplexity. The team reports that "writing small tool wrappers that thinly wrap REST API endpoints" was sufficient. Existing OpenAPI specs can be used as-is, with no new protocol to learn.

The AGENTS.md Approach. A standard originated by OpenAI and donated to AAIF. Provides project-specific guidance to AI agents. Adopted by 60,000+ open-source projects and frameworks such as Amp, Codex, Cursor, Devin, Gemini CLI, and GitHub Copilot. Complementary to MCP, but there is an argument that it makes MCP unnecessary in many cases.

The Unix Pipe Philosophy. "Unix pipes are the original composability primitive, backed by 50 years of tooling, with each step being inspectable." Natively supports pipes, chaining, and redirection — no need to invent a new protocol.

Counterarguments from proponents and the claim that it is "not dead"

To be fair, let me also note the counterarguments from MCP advocates.

Elie Steinbock countered: "Levels has never used a useful MCP. MCP is extremely useful and it is not dead." The fact that Google announced fully managed MCP servers for cloud services, AWS shipped a gateway that converts any API to MCP, and OpenAI has deepened MCP support across all its products — these at least demonstrate that major platforms continue to bet on MCP.

Charles Chen, in an article titled "MCP is Dead; Long Live MCP!", argued that while local stdio-based MCP is problematic, HTTP-based enterprise MCP has a legitimate role. It is true that enterprise requirements exist — multi-user authentication, audit trails, structured tool discovery — that are difficult to achieve with CLI alone.

However, the counterargument that "it is useful for enterprise use cases" is, read in reverse, tantamount to conceding the criticism that MCP is unnecessary for solo developers and cost-conscious operational environments. MCP's original promise — "the USB-C port for AI" — was to standardize all AI tool connections. The fact that this promise has been reduced to "useful for enterprise multi-user authentication" itself supports the critics' argument.

Anthropic's Response — Roadmap and Limitations

Anthropic is not silent in the face of criticism. The December 2025 donation to the Linux Foundation was intended to ensure the protocol's neutrality and quell criticism that it could "change at Anthropic's convenience." The 2026 roadmap includes plans for enterprise-managed authentication (SSO integration flows), audit trails and observability, gateway and proxy patterns, stateless HTTP transport for horizontal scaling, MCP Server Cards (.well-known metadata discovery), registry improvements, and a contributor governance model.

However, some critics point out that Anthropic is "deflecting responsibility by donating to the Linux Foundation while security issues remain unresolved." The fact that the MCP specification underwent three major revisions in 2025 alone (in March, June, and November) has also raised concerns about implementation stability. Reports from Japan's tech community indicate that these rapid specification changes have led to hesitation in adopting MCP.

Impact on the Industry

The "MCP is Dead" debate signals that the industry's answer to a fundamental question about AI tool connectivity architecture——whether to invent a new standard protocol or leverage existing infrastructure——is tilting toward the latter.

First, the rise of cost-consciousness is reshaping architectural choices. As LLM inference costs become the primary cost driver in AI operations, a protocol that consumes 4–32× more tokens for the same task is unsustainable. The difference between $55.20 and $3.20 per month translates to millions of dollars annually at scale. Now that CFOs have begun scrutinizing AI operating costs, MCP's "convenient but expensive" nature becomes a fatal weakness.

Second, security concerns have become the biggest barrier to enterprise adoption. The reality that 38% of MCP builders in Astrix Security's survey cited security concerns as blocking adoption, and that 43% of tested servers contain command injection vulnerabilities, makes CISO approval exceedingly difficult. In particular, the possibility of rug-pull attacks——where a once-approved tool can later transform into something malicious——falls outside the assumptions of traditional security models and is difficult to defend against.

Third, the return to CLI and REST APIs is shaping a new engineering culture. The departure of forward-thinking companies like Perplexity and Cloudflare from MCP in favor of CLI and direct API calls signals a shift in industry best practices. The philosophy of using tools the LLM "already knows" resonates with Unix design principles that eliminate unnecessary abstraction, earning broad support from the engineering community.

Fourth, MCP's role is shrinking but not disappearing. No current alternative standard exists for enterprise scenarios requiring multi-user authentication, audit trails, and structured governance. However, the original grand vision of "the USB-C port for AI" has been reduced to the limited role of "enterprise integration layer." MCP is not dead——its place has simply been legitimately redefined.

Fifth, the impact on Japan's developer community. Concerns about MCP's security risks are particularly acute in Japan, with 60.2% of DX/AI promotion officers expressing concerns about MCP security and governance. The GMO Flatt Security blog, Trend Micro Japan's published reports on public MCP server risks, and Nikkei xTECH's reporting on MCP vulnerability chains all provide grounds for Japanese enterprises to take a cautious stance toward MCP adoption. Meanwhile, CLI-based approaches align well with Japanese engineering culture——which values precision, cost efficiency, and stability.

MCP's "death" is, more precisely, the death of the illusion of a universal tool. What is emerging in its place is a reassessment of a mature technology with over 40 years of history: the command-line interface. What LLMs do best is "figure things out for themselves," and CLI is the most cost-efficient way to achieve that. MCP's 55,000-token schema injection is equivalent to telling an LLM, "Let me teach you again what you already know." The engineering community has finally answered that redundancy with: "No thank you."

References: Eric Holmes, "MCP is dead. Long live the CLI" (February 2026); Scalekit, "MCP vs CLI: Benchmarking AI Agent Cost & Reliability" (2026); Garry Tan Y Combinator CEO Statements on MCP (March 2026); Perplexity CTO Denis Yarats Ask 2026 Conference Announcement; Pieter Levels (@levelsio) Twitter/X Statements; Oligo Security Research CVE-2025-49596 MCP Inspector RCE; JFrog CVE-2025-6514 mcp-remote Command Injection; Invariant Labs MCP Tool Poisoning Attack Demonstration (April 2025); Simon Willison, "Model Context Protocol has prompt injection security problems" (April 2025); Astrix Security, "State of MCP Server Security 2025"; Thoughtworks Technology Radar Hold Rating on Naive API-to-MCP Conversion; Tim Kellogg, "MCP is Unnecessary" (April 2025); Shrivu Shankar, "Everything Wrong with MCP" (April 2025); Rasmus Holm, "A Critical Look at MCP" (May 2025); Charles Chen, "MCP is Dead; Long Live MCP!" (March 2026); Docker, "MCP Horror Stories: The Supply Chain Attack"; Authzed, "A Timeline of Model Context Protocol Security Breaches"; Anthropic, "2026 MCP Roadmap"; Agentic AI Foundation Linux Foundation Announcement (December 2025); GMO Flatt Security Blog, "Security Considerations in MCP"; Trend Micro Japan MCP Security Research; MCPGauge Token Analysis Framework; Cloudflare Code Mode vs MCP Performance Comparison