Thursday, July 9, 2026

Why MCP is Failing Consumer AI

 


The Over-Engineered Agentic Web

Why MCP is Failing Consumer AI
(and How to Fix It)

Spend five minutes in the AI developer ecosystem right now, and you’ll hear one acronym repeated like a mantra: MCP.

The Model Context Protocol, open-sourced by Anthropic, is being hailed as the universal plumbing for the future of AI agents. It promises a world where an LLM doesn't just chat with you, but actively works for you. It’s slick, it's fast, and tech Twitter is absolutely obsessed with it.

There’s just one problem: MCP has a massive blind spot.

The current approach is entirely hyper-focused on being "cool" for developers. It’s built by engineers, for engineers, to solve engineering problems. It is brilliant if you want an AI assistant to clone a Git repository, refactor a Python script, or query a secure Postgres database on your local machine.

But guess what? The real future—and the real money—isn’t in helping developers write code. It’s in helping regular consumers live their lives. It's in an AI agent that can effortlessly shop for flights, find the perfect local weekend getaway, or seamlessly order a great birthday gift for a partner.

And if we try to force that consumer future into the current local MCP architecture, we hit a brick wall of security risks, fragmented distribution, and bad user design.

The Fatal Flaw of the Local Agent Model

To understand why the current trend is broken for regular consumers, look at how an MCP server actually runs.

In the developer ecosystem, an MCP server is a package (usually Node.js or Python) that you download and install directly onto your local machine. It acts as a local proxy. The cloud-based LLM sends raw text instructions down to your machine ("Run the tool: delete_file"), and your local MCP server executes the code.

For developers, this is acceptable. They understand terminal runtimes, environment variables, and local scripts. They run npm install all day long.

But imagine translating this to a regular consumer scenario:

You tell your AI assistant: "I’m hungry and I want a pizza."

The assistant searches the web, finds a highly rated independent local shop down the street—sloppyjoepizza.com—and notices they have published their own custom AI integration.

What happens next? Does the agent autonomously run npm install sloppy-joe-pizza-mcp onto your phone or laptop? Does it pop up a terminal prompt asking your mom to audit a third-party Python runtime package before she can eat?

If an AI assistant can autonomously download and execute raw third-party code on a consumer’s device just to order lunch, it isn't an assistant—it’s a self-installing Trojan horse.

Ordinary users do not understand the security implications of local code execution, nor should they have to. If the ecosystem forces users to install custom code for every single business they interact with, consumer agents will completely stall out.

The "Toll-Booth" Threat to the Open Web

Because local code installation is a security non-starter for the general public, tech giants are already pivoting toward a different solution: The Consolidated Marketplace.

Instead of letting your agent talk directly to Sloppy Joe’s Pizza, the AI platforms will route you through centralized, heavily audited enterprise gateways. If Sloppy Joe wants to receive an "agentic order," he won’t be able to just host it on his website. He will have to list his business on DoorDash, Uber, or Instacart.

The corporate toll-collectors will manage the security, host the API, and happily extract a 20% to 30% tax on every single AI-driven transaction. For independent local businesses, boutique shops, and creators, this is an economic death sentence. The open web will be choked out by massive aggregate platforms acting as the exclusive gatekeepers to AI traffic.

But it doesn't have to be this way. We don't need a corporate closed garden, and we don't need consumers installing untrusted code.

We just need to pair the best parts of the Model Context Protocol with the fundamental architecture that built the internet: The Open Web Standard.

The Blueprint for an Open Agentic Web

We can build a completely open, secure, and decentralized agent economy using three simple, practical layers:

┌────────────────────────────────────────────────────────┐
│                   1. THE ENGINE                        │
│   A pre-installed, heavily sandboxed "Meta-MCP"        │
│   client that only translates web text to REST calls.  │
└──────────────────────────┬─────────────────────────────┘
                           ▼
┌────────────────────────────────────────────────────────┐
│                  2. THE DISCOVERY                      │
│   AI parses standard search results to find a link     │
│   in the HTML header: <link rel="agent" href="..." />  │
└──────────────────────────┬─────────────────────────────┘
                           ▼
┌────────────────────────────────────────────────────────┐
│                  3. THE MANIFEST                       │
│ A static metadata file (e.g., `agent-manifest.txt`     │
│ or Swagger) mapping text to safe cloud HTTPS endpoints.│
└────────────────────────────────────────────────────────┘

1. The Pre-Installed "Meta-MCP" Engine

Instead of installing a unique software package for every business, consumer devices should ship with a single, native, heavily audited Meta-MCP client installed by default.

This engine is completely static. It has zero access to your local filesystem, zero ability to run shell scripts, and zero ability to mine crypto. Its only job is to ingest an API schema (like a Swagger/OpenAPI file) and map an LLM's text instructions into a standard HTTPS fetch request over the internet.

The security blast radius is instantly neutralized. The code running on the user's machine is completely trusted because it never changes.

2. Standardized Discovery: The New favicon.ico

We don't need a centralized Agent App Store because web search is already a solved problem.

When a business wants to make itself agent-compatible, it shouldn't publish an installer. It should just publish a static metadata text file at the root of its domain, following emerging open standards like agent-manifest.txt or llms.txt.

Sloppy Joe just adds a simple tag to his website's HTML header:

<link rel="agent" href="/agent-manifest.txt" />

When you ask for pizza, your AI agent uses standard web search to find local shops, navigates to Sloppy Joe's site, detects that link, and grabs the text manifest instantly.

3. Clear, Human-Readable Consent

Because the manifest file just links back to standard web endpoints via Swagger, the built-in Meta-MCP engine can translate the technical plumbing into a beautifully simple, consumer-friendly authorization prompt for the user.

Mom doesn't get a scary warning about executing Node packages. She gets a clean, clear dialogue box:

"Sloppy Joe's Pizza wants to connect to your assistant to let you order food. They will be allowed to show you their menu and send your address for delivery. Allow?"

Mom clicks "Allow." The pre-installed, safe engine handles the HTTPS call to Sloppy Joe's server, the order is placed, and dinner is on the way.

Conclusion: Keeping the AI Web Open

This decentralized approach is exactly how the open web defeated closed, proprietary networks like AOL and CompuServe in the 1990s.

If the future of AI agents relies on downloading custom code to user machines, it will collapse under the weight of security exploits. If it relies on centralized cloud platforms, it will strip local businesses of their margins and centralize the internet into the hands of a few tech monopolies.

MCP is a phenomenal piece of engineering, but it’s time for it to graduate out of the developer sandbox. By turning the protocol into a standardized, configuration-driven proxy for the open web, we can give consumers the frictionless, magical assistant features they actually want—while keeping the internet open, safe, and fair for everyone.

Wednesday, September 14, 2022

Accidental Nostalgia Overdose: An old "Cheat Machine" review

 On a random ego-surfing session, I found this post that made me smile:

hillelstoler.com is generally about my own work, but since I don’t like to disappoint my visitors (and since I liked it a lot once), here is Cheat Machine 2.20 by a Forest Software. To my knowledge this is the most recent DOS version, and the only one that is Freeware:

Download Cheat Machine – Don’t get mad, get even!

Hit the keyboard with your head to continue …

Note that you will need to set the date to 1998 or so in order for this software to run.

Cheat Machine is a handy collection of cheat codes, trainers and easter eggs for antique software. I was very inspired by this specific piece of software around the mid 90’s when I began to program for DOS (using Borland’s Turbo Pascal). I liked the obsession for details and the overall fun atmosphere. The people (or person?) who made this software took their work seriously while not taking themselves very seriously – this, in my opinion, is a great recipe for (software) creation.

In the end, this is just a small piece of software that has very limited functionality, but every bit is plated in gold. It was fun to use, and you could clearly see it was fun to make. Software team leaders will argue that such “gold plating” is not only unnecessary, but also puts the project at risk and waste money and time in developing features that the customer did not pay for (while also making the software more complex and potentially buggy). Although I accept this to be generally true, I believe that in software manufacture, like in every other aspect of life, the key to success is the correct balance (which is never exactly halfway btw). You need to have something that will motivate your team and create that good vibe of excitement about the product. Let’s face it, not every project is very interesting to make, and spicing things up by adding some so called “gold plating” will not only make you proud of your work and give you the energy to successfully glide through the rest of the project, it might also give you a competitive edge because even if most people won’t notice your extra work someone somewhere probably will.

That said, never put time limitation on your software (especially if it’s freeware!) claiming that a new version must surely be available, because nothing last forever and having to change the date on my computer every time I want to run your 10 years old application is not very hot :) I could try to patch it, but the EXE is protected against just that!


I love the fact that he called my unhealthy obsession of "perfect code" and micro-managing development as "gold plating", back in the days that I wasn't paid by the hour for solutions. 

I disagree with him on the time limit.  It was added very much on purpose, because the program was only valuable if it contained recent information.  Without it, one would have to support every version ever released, and that is not doable.   This was in the days before the internet, where you couldn't just hit an "Update" button and the software was magically up to date again.  You had to log into a BBS and manually look for a new version and download it.    This was something that a lot of users didn't really want to unless they were forced to. 


For hardcore fans, I did a Youtube demo of an earlier version. 


Thursday, October 31, 2019

Hall of shame: NetBenefits

This may be getting repetitive, so instead of explaining everything that is wrong with this picture, I would like to suggest a new rule:

If a site has a maximum length restriction on their password, that usually means that they are not storing it securely, which usually means the development team did not pass "Security 101". 

I'll let you decide if that is a prediction of the quality of the rest of their offerings.

Wednesday, January 21, 2015

Had enough credit card offers?



Are you getting too many credit card offers?  Did you know there is an official,  national site where you can opt-out of getting these?   I strongly recommend doing this, not just to safe the environment and the hassle of dealing with junk mail, but also as a security precaution.  These offers are easy to steal out of your mailbox, and the credit card companies will gladly send your "new card" to a "new address" without blinking.

This is also a good idea for those who have issues with the temptation of credit.  If you take the offers away,  you take most of the temptation away.   (People with college-age kids will understand all too well)

All it takes is name, address and social and you are good for 5 years.  If you want it to be permanent, you are going to need to print out a form and lick a stamp (they make it harder or purpose)

Official site is at: OptOutPrescreen.com  Phone: 888-567-8688

More information available on this at the FTC


Sunday, January 19, 2014

I was singled out by RSA!

At the 2013 RSA conference, I was running around killing time before my talk on building your own intelligence tool, and thought it would be a fun training exercise to participate in their "I am RSA" ad campaign.  What better way to get rid of any nerves then to have a dozen cameras and microphones pointed at you?

I signed the release (I believe I got a sticker or a Starbucks card or something like that too) and I did not think anything of it until a friend pointed out that I was running on the homepage of the 2014 conference.  They seem to rotating a bunch of videos on there, and I was in the top spot last week.  Looking at their list of uploaded videos, I noticed I seem to be the only person (as far as I can see) that is actually named on-screen in any of them .  There are plenty of other people, but they seem to be used only for soundbites, whereas I was deemed worthy for almost a full minute.  Where's my internet millions?
 
Also: For some reason, it makes it seem like I have huge hands.