Claude has shipped the first MCP integrations.
Unsurprisingly they're going with more of the app store model.
There's a small set of approved MCP integrations you can enable.
The integrations are all aimed primarily at enterprise cases.
They've also only allowed the integrations in the Max subscription.
When you're worried about the downside risk of a feature and want to experiment to see how bad it is in the wild, a classic technique is to roll it out to a very small audience and watch carefully.
Presumably the number of users with a Max subscription is many orders of magnitude lower than their total user count.
The enterprise focus also tends to focus on things that have less prompt injection risk.
Things that are pulling from data from inside an enterprise are more likely to pull from data that was written by employees and thus more trustworthy than, say, emails.
But there are many internal systems that allow untrusted content.
For example, it's not uncommon for user feedback flows to automatically create JIRA tickets.
The main danger of MCP is not misbehaved integrations (though that is also a worry), it's prompt injection.
MCP is great for things with data entirely inside the house (only your employees, not injectable) and/or things that can't have irreversible side effects.
Prompt injection can happen even for a well-behaved integration, for sources that allow open-ended or untrusted inputs (like search results, emails, etc).
Limiting to a subset of trusted MCP integrations does not meaningfully mitigate prompt injection.
The app store model leads to gatekeepers, but doesn't address prompt injection.
So now there are two problems!