HackerTrans
TopNewTrendsCommentsPastAskShowJobs

yjcho9317

no profile record

Submissions

Show HN: MCP-fence – MCP firewall I built and tried to break (6 audit rounds)

npmjs.com
1 points·by yjcho9317·3 miesiące temu·1 comments

[untitled]

1 points·by yjcho9317·4 miesiące temu·0 comments

comments

yjcho9317
·3 miesiące temu·discuss
[dead]
yjcho9317
·3 miesiące temu·discuss
Interesting timing — I work on a mobile security SDK for Korean banking apps (200+ installs), and Accessibility abuse is basically our #1 headache.

Stuff like FakeCall does exactly this — reads the UI tree, taps, types, all of it. From the system's point of view it's not that different from legit automation.

Android doesn't really have a good way to tell those apart. The whole restriction thing feels a bit blunt, but I also don't know what a clean alternative would look like.

Gemini gets system-level access that third-party apps can't even request, so the comparison is a bit weird.

Do you run into apps that actively block Accessibility? Some banking apps just shut that down entirely.
yjcho9317
·3 miesiące temu·discuss
Yeah, I hit this. I run an MCP server that talks to a corporate messaging API — if it stays connected the whole session, any hallucinated tool call can fire off messages to an entire org while the agent is doing something unrelated.

There's no real reason that connection needs to stay open the whole time. Feels like overkill.

Read-only stuff is probably fine staying persistent, I guess. Anything that sends or mutates state feels different though.

MCP doesn't really have a way to express that kind of boundary per tool, so the runtime can't do much with it.

Haven't tried Orloj yet but "summoned on demand" sounds closer to what I'd want.
yjcho9317
·3 miesiące temu·discuss
I built and shipped an MCP server (NAVER WORKS integration) so I've been on both sides of this.

My server talks to a corporate messaging API — one bad tool call could blast messages to an entire org. I ended up writing input validation for every single tool by hand because there's no standard for it. Even then, Claude Code will happily call tools in a loop with hallucinated parameters. Saw it happen more than once.

Rate limiting would've probably stopped most of that, but MCP doesn't really give you a clean place to enforce it.

I also got the server listed on mcp.so and mcpservers.org with basically zero review. It's closer to a directory than anything else.

I do mobile app security for a living (banking apps), and yeah — same story there. You can't rely on the thing executing the action to control itself.
yjcho9317
·4 miesiące temu·discuss
[dead]
yjcho9317
·4 miesiące temu·discuss
[dead]
yjcho9317
·4 miesiące temu·discuss
[dead]