Skip to content

← Writing

engineering

MCP: A USB Port for AI Tools

· Jerwin Arnado

Archive note: this is a backdated post, written years later while rebuilding this site. It’s dated to the moment it covers, but the hindsight is real.

The most important AI news of the quarter isn’t a model. It’s a protocol — and this week’s plot twist: OpenAI announced support for MCP, a standard authored by Anthropic, its closest rival. When competitors adopt each other’s plumbing, the plumbing has won.

The problem MCP solves

Model Context Protocol, open-sourced by Anthropic late last year, standardizes how AI applications connect to tools and data. The pre-MCP world was an M×N integration mess: every AI app (Claude, ChatGPT, Cursor, your custom agent) needed bespoke connectors to every resource (Postgres, GitHub, Slack, your file system, your CRM). Every pairing, hand-built, maintained by whoever cared that week.

MCP collapses it the way every good protocol does: implement once per side. A resource exposes an MCP server (tools it offers, data it serves); any AI app speaks MCP client; M×N becomes M+N. The “USB port for AI” framing is earned — the point of USB was never the connector, it was not caring what’s on the other end.

Why a working dev should care

  1. Integration effort becomes an asset, not a liability. The MCP server I write for a client’s inventory database today works with Claude today, ChatGPT tomorrow, and whatever wins 2026 after that. In a field where vendor risk has its own post genre here, code that outlives vendor churn is the only code worth writing. My MODEL_PROVIDER abstraction from 2023 is being demoted from architecture to config value; the protocol does the decoupling now.
  2. The capability shift is real. Agents were bottlenecked less by reasoning than by reach — the model could plan but couldn’t touch. A standard tool layer is exactly the missing hands. The 2023 prediction about scoped agents with narrow tools is assembling itself, one MCP server at a time.
  3. The security story arrives with the power, as always. An MCP server is capability handed to a probabilistic caller. Every lesson this blog has filed — least privilege, blast radius, defensive parsing — applies doubled, because the “user” is a model that can be sweet-talked by content it reads. Prompt injection plus tool access is the new SQL injection: the canonical vulnerability class of the era, and most servers being published this month have not met it yet. Read-only by default; write access earns its way in.

The homelab angle, naturally

The part that delights me personally: MCP servers are small, self-hostable programs — a few hundred lines exposing your Jellyfin library, your NAS files, your Pi-hole stats to whatever model you choose, including the local ones. The same week the industry standardized AI’s hands, the self-hosted stack became AI-addressable. A model that can check my own server’s state and act on it, with credentials that never leave the LAN — that’s the agentic future I’ll actually deploy.

Filed

Prediction bank: protocols are infrastructure, and infrastructure bets age well — MCP (or its direct descendant) becomes as unremarkable as REST within two years, and “does it have an MCP server?” becomes a standard line in every SaaS evaluation checklist. The model race gets the headlines; the boring connector just decided how the whole thing wires together. As usual, the quiet one is the one that lasts.