3. Based on that decides whether to wake you up 30 minutes early.
That case can be proven secure modulo a hack to the weather service means you get woken up early but you can understand the threat model.
MCP is like getting a service that can inject any context (effectively reorient your agent) to another service that can do the same. Either service may allow high level access to something you care about. To boot either service may pull in arbitrary context from online easily controlled by hackers. E.g. using just SEO you could cause someone's 3D printer to catch fire.
Yes the end user chooses which servers. Just like end users buy a wifi lightbulb then get doxxed a month later.
There might be some combination of words in a HN comments that would do it!
