Least-Privilege MCP Tool Selection
MCP connects Hermes to external tools, but installing a server can introduce code, credentials, network access, and destructive operations in one step. Treat the server and each enabled tool as part of the agent's capability boundary.
Official documentation: https://hermes-agent.nousresearch.com/docs/user-guide/features/mcp
Review before install
For catalog entries, inspect the source repository, bootstrap commands, transport command or URL, authentication method, and default tool selection. Curated does not mean risk-free; it means the entry passed a project review, not that every tool is appropriate for every profile.
Tool-selection checklist
- [ ] Enable only the operations needed for the workflow.
- [ ] Exclude delete, admin, billing, and broad export tools unless required.
- [ ] Prefer read-only tools for research and first rollout.
- [ ] Keep OAuth tokens and headers out of prompts and public files.
- [ ] Separate MCP servers by profile when their trust or business purpose differs.
- [ ] Set realistic connect and tool timeouts.
- [ ] Review whether parallel tool calls are safe for that server.
- [ ] Revisit the filter when the server adds new tools.
Transport and authentication
Stdio servers execute local commands; HTTP servers connect to remote endpoints. Both require trust decisions. OAuth tool discovery can succeed even when a usable token was never stored, so listing tools is not proof that real calls work. Test one harmless authenticated operation after setup.
Environment-variable references should resolve from the runtime's secret environment. Avoid placing literal tokens in configuration examples, screenshots, or wiki copy.
Pitfalls
- Selecting every tool for convenience.
- Trusting a server name without reading its source and bootstrap behavior.
- Treating successful
tools/listas proof that OAuth completed. - Giving a public-input agent an administrative MCP toolset.
- Enabling parallel calls for operations that mutate shared state.
- Forgetting that MCP catalog entries do not auto-update.
Verification steps
- Inspect the manifest or explicit server configuration.
- Confirm the tool include list matches the workflow.
- Start a fresh Hermes session and verify the server connects.
- Execute one low-risk authenticated read operation.
- Confirm excluded tools are unavailable.
- Review logs for token exposure, timeout loops, and unexpected subprocesses.
- Re-run configuration after server upgrades and compare the advertised tools.
