In a previous post about Model Context Protocol I outlined a scenario where you would shop at your favorite stores without opening their website or mobile app. A concept as crazy 30 years ago as shopping without walking in the store, calling, or mailing in a form from a catalog. But with this amazing leap forward in technology we must ask “will it be secure”?

So let's extend our early shopping example. You often shop for bargains at Acme Warehouse Store’s website. Your LLM Agent informs you that it can shop for you because Acme Warehouse Store has an MCP server it discovered via the mcp.txt file on the website (This is something I theoretically dreamed up in that other post).

Great it can search products, anyone on the internet can anonymously search for products on their website but what happens when its time to make a purchase. The LLM Agent will need your login information. Do you give it your email and password so it can log in like a caveman? Not likely and from a security point of view not recommended.

Perhaps part of that theoretical mcp.txt format would define a URL for an OAuth flow that would allow you to grant the LLM some type of JWT token that it would store and allow it to make requests on your behalf.

So now the LLM agent can make requests on your behalf. Lets imagine a scenario when you told it to buy X of an item and it hallucinated 10X, after LLMs are bad at math. Each LLM agent would likely need to define some user interface and controls that would pop up when the LLM tried to make the purchase that would say “Your LLM is trying to buy 10 pairs of Prada shoes: Approve/Deny”.

Perhaps only purchase over $100 so you can still have it order your dinner without needing to jump through the same hoops as a $500 hand bag.

All these checks and balances will need to be added for this to scale and be widely adaptable.

Another interesting thing to ponder is if the LLM agent found a brand new website that you wanted it to interact with on your behalf, not one that you already had an old school email/password account with, could it create the account for you itself?

Imagine that: The LLM creates an account for you without you needing to enter in an email/password. The MCP server would offer a tool called signup to which the LLM Agent would check the list of MCP servers you have an account with. If you did not it would automatically create an account for you then store the resulting credentials in its encrypted “Key Ring” or something similar.

It then would use that to communicate on your behalf to that MCP server moving forward.

Perhaps automatically creating an account wouldn’t be the best work flow. Likely this would be another scenario where it is important for the LLM Agent’s UI to prompt you “Your Agent is trying to create an account for you on site XYZ. Do you want to allow this?” or at least make it a setting you can toggle to see if you get prompted for this.

Lets talk about payments for a second. You wouldn’t want to chat your LLM with your credit card info as I could see bad guys jail breaking your AI Assistant with some type of “Grandma used to tell me the story of the Visa card ending in 0083 and…”.

Instead I foresee services like Stripe, Google Pay, Apple Pay all being triggered similar to an Android Application’s “Intent” model. This might be what triggered the security popup confirming the payment. Then it would generate a 1 time token that the LLM Agent would use to finish the transaction.

I keep talking about pop up confirmations but we should really keep in mind that tools like Alexa and the augmented reality glasses coming out may not have click-able interfaces. A lot of these interactions, including confirmations, may likely be audible or verbal in nature.