# Security Implications of MCP Configurations in OpenAI Plugins: OAuth, Static Tools, and Transport Hardening > Explore security implications of OpenAI plugins MCP configurations. Learn how OAuth, static tools, and transport hardening prevent secret leakage and reduce attack surfaces for secure agent operations. - Repository: [OpenAI/plugins](https://github.com/openai/plugins) - Tags: security - Published: 2026-06-06 --- **MCP configurations in OpenAI plugins rely on OAuth-driven token exchange, static tool generation, and short-lived scoped credentials to prevent secret leakage, reduce attack surfaces, and ensure agents cannot invoke insecure paths.** The `openai/plugins` repository demonstrates how Model Context Protocol (MCP) configurations determine security boundaries for AI agents interacting with remote services. Because MCP routes agents to external endpoints, its configuration governs authentication flows, credential scoping, and transport layer security. Understanding these mechanisms is essential for securing plugin architectures against unauthorized access and data exposure. ## OAuth Authentication and Secret Management MCP clients in the OpenAI plugins ecosystem use the **`@ai-sdk/mcp`** library to automatically negotiate OAuth tokens for remote MCP servers. This design eliminates the need for developers to embed API keys directly in skill definitions, significantly reducing the risk of credential exposure in version-controlled files. According to [`plugins/vercel/skills/ai-sdk/SKILL.md`](https://github.com/openai/plugins/blob/main/plugins/vercel/skills/ai-sdk/SKILL.md), the client instantiation handles token acquisition transparently. For Wix-based implementations, the `@wix/cli` mints site-scoped tokens that are short-lived and project-specific, ensuring that compromised tokens cannot access resources beyond their intended scope. As documented in [`plugins/wix/skills/wix-headless/references/shared/AUTHENTICATION.md`](https://github.com/openai/plugins/blob/main/plugins/wix/skills/wix-headless/references/shared/AUTHENTICATION.md), raw secrets must never transmit through MCP-enabled skills; instead, the system relies entirely on these ephemeral OAuth tokens. ## Static Tool Generation and Attack Surface Reduction To prevent exposure of dynamic internal endpoints, the **`mcp-to-ai-sdk`** CLI extracts static tool definitions from live MCP servers. This process generates version-controlled JSON files that limit the attack surface by preventing agents from discovering or invoking arbitrary endpoints that may exist on the MCP server. The [`plugins/vercel/vercel.md`](https://github.com/openai/plugins/blob/main/plugins/vercel/vercel.md) file emphasizes that static tool generation is a security requirement rather than merely a convenience. By freezing the tool schema in the repository, developers ensure that agents can only invoke pre-approved methods, blocking potential exploitation of dynamically registered or undocumented endpoints. ## Defensive Fallback Strategies and State Consistency When an MCP server lacks a specific capability, skills must implement fallback logic to direct REST API calls or CLI commands. This prevents agents from over-relying on MCP and inadvertently invoking insecure or incomplete paths. The [`plugins/wix/skills/wix-headless/SKILL.md`](https://github.com/openai/plugins/blob/main/plugins/wix/skills/wix-headless/SKILL.md) explicitly warns against mixing MCP-based tools (such as `WixSiteBuilder`) with parallel native flows, as this can trigger duplicate resource builds and race conditions that open denial-of-service windows or create data inconsistency. Fallback implementations should verify MCP availability before executing alternative paths. This dual-path design ensures operational continuity without bypassing security controls when the MCP server is unreachable or lacks the requested method. ## Infrastructure Security and Transport Hardening Vercel’s firewall integration exposes security controls as an MCP tool named **`vercel.security.readFirewallConfig`**. Because this tool executes server-side within the `vercel-firewall` skill, it can enforce OWASP-grade rule sets without revealing underlying infrastructure details to the agent. The tool definition resides in [`plugins/vercel/skills/vercel-firewall/SKILL.md`](https://github.com/openai/plugins/blob/main/plugins/vercel/skills/vercel-firewall/SKILL.md). Transport layer security is further hardened through the use of **Streamable HTTP**, a modern transport mechanism that replaces Server-Sent Events (SSE). As implemented in [`plugins/vercel/skills/vercel-api/SKILL.md`](https://github.com/openai/plugins/blob/main/plugins/vercel/skills/vercel-api/SKILL.md), this protocol eliminates long-lived streaming connections, thereby reducing the risk of resource exhaustion attacks and connection hijacking. ## MCP Discovery and Data Minimization Skills should consult static API reference files before invoking MCP servers, using MCP only to fill capability gaps. This "MCP-only-for-gaps" policy, documented in [`plugins/wix/skills/wix-app/SKILL.md`](https://github.com/openai/plugins/blob/main/plugins/wix/skills/wix-app/SKILL.md), limits unnecessary network calls and restricts the volume of data an agent can extract from remote services. By applying `maxResults` limits and preferring static documentation over dynamic discovery, the configuration minimizes exposure to excessive data retrieval. ## Implementation Examples ### Creating a Secure MCP Client The following pattern demonstrates OAuth token acquisition without embedded secrets: ```javascript import { createMCPClient } from "@ai-sdk/mcp"; const mcpClient = await createMCPClient({ // The URL of the remote MCP server (e.g. Vercel) endpoint: "https://my-project.vercel.app/api/mcp", // OAuth scopes are declared in the MCP server; the client auto-fetches a token. // No API keys are stored in the source code. }); ``` *This implementation follows the security model described in `plugins/vercel/skills/ai-sdk/SKILLMD`.* ### Generating Static Tool Definitions Audit the MCP surface by extracting static definitions before deployment: ```bash # Install the helper CLI (once): npm i -g mcp-to-ai-sdk # Pull the live MCP schema and write a JSON definition: mcp-to-ai-sdk \ --endpoint https://my-project.vercel.app/api/mcp \ --output ./static-tools/vercel-mcp-tools.json ``` *Static generation requirements are detailed in [`plugins/vercel/vercel.md`](https://github.com/openai/plugins/blob/main/plugins/vercel/vercel.md).* ### Implementing REST Fallbacks When MCP lacks a method, fall back to direct API calls with environment-scoped credentials: ```javascript import fetch from "node-fetch"; async function listProjects() { // Try MCP first const mcpResult = await mcpClient.call("listProjects"); if (mcpResult?.success) return mcpResult.data; // Fallback – Vercel REST API (requires a VERCEL_TOKEN env var) const resp = await fetch("https://api.vercel.com/v9/projects", { headers: { Authorization: `Bearer ${process.env.VERCEL_TOKEN}` }, }); const { projects } = await resp.json(); return projects; } ``` *The dual-path design is outlined in [`plugins/wix/skills/wix-headless/SKILL.md`](https://github.com/openai/plugins/blob/main/plugins/wix/skills/wix-headless/SKILL.md).* ### Querying Firewall Configuration via MCP Access security configurations through the read-only MCP tool: ```javascript // Assume mcpClient is already created. const firewallConfig = await mcpClient.call("vercel.security.readFirewallConfig", { projectId: "prj_ABC123", teamId: "team_XYZ789", }); console.log("Current firewall rules:", firewallConfig.rules); ``` *The firewall MCP definition is stored in [`plugins/vercel/skills/vercel-firewall/SKILL.md`](https://github.com/openai/plugins/blob/main/plugins/vercel/skills/vercel-firewall/SKILL.md).* ## Summary - **OAuth token exchange** via `@ai-sdk/mcp` eliminates embedded API keys and enables short-lived, scoped credentials. - **Static tool generation** using `mcp-to-ai-sdk` reduces attack surfaces by preventing dynamic endpoint discovery. - **Fallback mechanisms** to REST/CLI prevent over-reliance on MCP while avoiding insecure execution paths. - **State conflict prevention** requires avoiding simultaneous use of MCP tools and native flows to prevent duplicate builds. - **Streamable HTTP** transport replaces SSE to mitigate resource exhaustion risks. - **Data minimization** policies limit MCP invocations to capability gaps only, reducing data exposure. ## Frequently Asked Questions ### How do MCP configurations prevent API key leakage in OpenAI plugins? MCP configurations leverage OAuth token exchange through libraries like `@ai-sdk/mcp` rather than embedding static API keys in skill definitions. The tokens are short-lived, project-scoped, and minted by authorized CLIs such as `@wix/cli` or Vercel's OAuth flow, ensuring that raw credentials never appear in source code or environment files accessible to agents. ### Why should tool definitions be static rather than dynamic? Static tool definitions, generated via the `mcp-to-ai-sdk` CLI and version-controlled as JSON files, prevent agents from discovering and invoking arbitrary internal endpoints that might exist on the MCP server. This approach limits the attack surface to explicitly approved methods and prevents exploitation of undocumented or dynamically registered capabilities. ### What transport protocol does Vercel use to secure MCP connections? Vercel employs **Streamable HTTP** as the transport protocol for MCP servers, replacing the older Server-Sent Events (SSE) mechanism. This eliminates long-lived streaming connections, thereby reducing the risk of connection hijacking and resource exhaustion attacks while maintaining full-duplex communication capabilities. ### How do fallback mechanisms protect against MCP server failures? Fallback mechanisms detect when an MCP server lacks a requested capability and automatically route the operation to secure REST APIs or CLI commands. This prevents agents from attempting to force execution through potentially insecure paths when MCP is unavailable, while maintaining operational continuity through alternative authentication methods like environment-scoped `VERCEL_TOKEN`.