enableAllProjectMcpServers should default to false for security
Description
enableAllProjectMcpServers is not set to false by default, meaning cloning any repository that contains a .mcp.json file will auto-load those MCP servers into the Claude Code session without user consent.
Security concern
A malicious repository could include a .mcp.json that loads attacker-controlled MCP servers. When a developer clones the repo and opens Claude Code, those servers are automatically available — no prompt, no confirmation. This is a supply-chain attack vector via repository configuration files (similar to malicious .vscode/settings.json or .npmrc in cloned repos).
Proposed fix
Default enableAllProjectMcpServers to false. Require explicit opt-in per project or a one-time confirmation prompt when project-level MCP servers are detected.
References
- Check Point research demonstrated MCP config hijacking as an attack vector
- Trail of Bits recommends
enableAllProjectMcpServers: falsein their security config
Environment
- Claude Code 2.1.84
- Windows 10
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗