Security: treat MCP servers like installed software
1 min
An MCP server can do anything its underlying credentials let it do. Pick servers as carefully as you pick npm dependencies.
When you connect a stdio MCP server, Avery spawns the configured command as a child process on your machine. That process inherits the same privileges your shell would. Streamable HTTP servers are slightly safer (network boundary) but still see every argument you pass to a tool call. Stick to servers published by reputable maintainers, read what each tool does before enabling it, and use the per-tool toggle to disable anything you don't need. The bearer token you give a server stays local — it never leaves your device through Avery's central service.
Live recipes need the desktop
This article is a static preview. The in-app Help sidecar inside Avery NXR can fire each step against your live project — install the desktop to use it interactively.