Request: Review auto-generated MCP permission manifest for MongoDB

[buehler]

Dear Authors / Maintainers,

We are researchers from the University of St. Gallen studying how to make Model Context Protocol (MCP) servers safer to run via a sandboxed permission system. As part of our study, we auto generated a permission manifest for your MCP server and would love your feedback on whether it is correct and complete.

The MCP server in question is: MongoDB

Please review the manifest below and let us know:

• Are the permissions and their scopes correct?
• Are any permissions missing?
• Do any permissions need to be runtime-scoped (e.g., a specific project directory) rather than global?

Proposed manifest (please review)

{
  "description": "MongoDB MCP Server: enables MCP clients to connect to MongoDB and MongoDB Atlas, run database and Atlas management tools, export query results to disk, and write logs. Supports stdio and optional HTTP transport; configurable via CLI or MDB_MCP_* environment variables; may emit telemetry.",
  "permissions": [
    "mcp.ac.network.client",
    "mcp.ac.filesystem.read",
    "mcp.ac.filesystem.write",
    "mcp.ac.filesystem.delete",
    "mcp.ac.system.env.read"
  ]
}

Please let us know if you have any questions and/or remarks.

In case you want to see the (current) full permission system:

MCP Permission System

Permission	Description	Notes
mcp.ac.filesystem.read	Read files/directories
mcp.ac.filesystem.write	Write/create files
mcp.ac.filesystem.delete	Delete files or directories
mcp.ac.system.env.read	Read environment variables	e.g., API_KEY, PATH
mcp.ac.system.env.write	Set environment variables	setting the env variables
mcp.ac.system.exec	Execute OS commands	CLI runners, shells
mcp.ac.system.process	List or kill processes
mcp.ac.network.client	General Outgoing network access
mcp.ac.network.server	Accept incoming connections
mcp.ac.network.bluetooth	Use Bluetooth connections	macOS TCC-protected
mcp.ac.peripheral.camera	Capture images/video	macOS TCC-controlled
mcp.ac.peripheral.microphone	Record audio	TCC-protected
mcp.ac.peripheral.speaker	Play audio
mcp.ac.peripheral.screen.capture	Screen capture	Requires consent (macOS: Screen Recording)
mcp.ac.location	Access location data	From Wi-Fi, IP, GNSS
mcp.ac.notifications.post	Show system notifications	macOS/Windows
mcp.ac.clipboard.read / .write	Read/write clipboard	Copy-paste support

Thank you very much for your time and your efforts in making MCP more secure.

[github-actions]

Thanks for opening this issue. The ticket MCP-164 was created for internal tracking.

[kmruiz]

Hi @buehler , thanks for reaching out and for your research!

So far the permissions look fine, but there is something that I wanted to clarify with you. Depending on the transport (basically, HTTP Transport), the MCP Server will need mcp.ac.network.server, as it opens a socket at a specific port and can listen to inbound connections.

About scoping, yes, I think it would be worth to scoping some permissions. We don't write on arbitrary folders, they can be set up by the user and have also some defaults (mainly for logs and exports).

For environment variables, we also have a list of environment variables that we do read. It's dynamically generated based on this config file.

[buehler]

Perfect, thank you for clarifying!

Yes, it makes sense if the HTTP transport is also supported, we'd need to include the server as well.

As for the fine-grained permissions, we do have something in the making, but for this study, it was not ready yet.

Spoilers: it contains what you said as "static" runtime permission.

Thank you for your time, really appreciate it.

[github-actions]

The corresponding JIRA ticket has been automatically closed.