The Simpler, Safer Way to Connect OpenClaw. Every external call. Protected. →
Back to blog
Tal Peretz

MCP Servers Do Not Force Tools Into Context

It's common for developers new to MCP to complain that the protocol bloats their context window and tanks agent performance. It’s a real problem, but they're wrong about what's causing it.

MCP gives you a clean, standardized interface for connecting AI agents to external tools and services. But it doesn’t tell you how to manage those tool definitions once you have them. That's the agent harness's job, and many harnesses get it wrong. The result gets blamed on MCP.

How Context Bloat Happens

Imagine you're building a general purpose agent for a product manager. You connect your first MCP server, the GitHub MCP, and call list_tools. You get back a clean list of tool definitions and pass them into context so the agent can determine which one to use. Everything works.

A few weeks go by, and you've added Notion, Salesforce, and an internal data warehouse MCP. You do the same thing you did before with GitHub: call list_tools on each server, concatenate the results, pass them all into context. You now have over 100 tools loaded on every single turn!

Most tool definitions look like this, which runs about 130 tokens:

{
 "name": "get_weather",
 "title": "Weather Information Provider",
 "description": "Get current weather information for a location",
 "inputSchema": {
   "type": "object",
   "properties": {
     "location": {
       "type": "string",
       "description": "City name or zip code"
     }
   },
   "required": ["location"]
 }
}

At 130 tokens per tool, 100 tools cost 13,000 tokens before the user has typed a single word. And most of those tokens are wasted: on any given task, the model only needs a handful of tools, not all 100. This creates three compounding problems:

  • Cost. In many AI-powered applications, LLM costs are the biggest line item, and without a better pattern, tool definitions would be a meaningful fraction of your inference bill.
  • Latency. Time-to-first-token scales with prompt token count (and by rough corollary, context length). A bloated tool list adds measurable delay to every response, on every request, regardless of whether those tools were ever needed.
  • Focus. Research shows LLM task accuracy degrades as context length grows, with relevant information increasingly ignored when buried among irrelevant content. More tools in context means the model is less likely to correctly select and use the ones it actually needs.

MCP-heavy agents do suffer real performance problems in practice. But the cause isn't MCP. As we'll see in a moment, this is easily solvable with a better harness pattern.

The Fix: Meta-Tools

When you load hundreds of tool definitions into a context window and ask a model to pick the right one, you're essentially performing search with one of the most expensive pieces of software ever built. However, searching over text is a practically solved problem, and we can do this with code. We do this by exposing just two meta-tools to the model.

The first is search_tool. When the model needs a capability, it calls search_tool with a natural language or keyword query. The harness searches across all available tool definitions using keyword matching or semantic search and returns only the top few most relevant schemas for the current task. This is where the token savings happen: instead of 100 definitions loaded blindly, the model gets back a small, targeted subset relevant to what it's actually trying to do.

The second is execute_tool. Once the model has identified the right tool from the search results, it calls execute_tool to run it. Together, search_tool and execute_tool form a complete abstraction layer over the entire tool inventory. The model never needs raw access to all tool definitions at once.

The tradeoff is one extra round trip: the model calls search_tool, receives a small set of relevant definitions, then calls execute_tool to run the one it needs. But for almost any application complex enough to need dozens of MCP tools, better model performance is worth it. The applications that need 100+ tools are rarely the ones where a single extra step is a dealbreaker.

The architecture also scales cleanly. Whether you have four MCP servers or forty, the model's effective tool context stays small and task-relevant on every turn. None of this requires changes to the MCP servers themselves.

The Real Problem: Security

The meta-tool pattern solves context bloat in a way that makes adding new MCP servers essentially free. But scalability raises a harder question: if any agent can dynamically discover and invoke any tool across any connected MCP server, who's making sure those tools are safe to call?

This is a real concern for MCP. There have already been high-profile attacks across multiple vectors: malicious instructions embedded in tool descriptions themselves, and prompt injections hidden in user-facing data like GitHub issues that hijack agents when tools return that content. As MCP usage grows, the attack surface grows with it.

Getting the performance architecture right is necessary but not sufficient. You also need governance: control over which MCP servers agents can connect to, enforcement of company-approved tool lists, and protection against tool definitions that carry injected instructions. That's what Runlayer does.

Feb 23, 2026
 • 
Tal Peretz
Read more
MCP Security vs API Security: Understanding the Differences
API security wasn’t designed for autonomous AI agents. Learn why MCP introduces new security risks—like prompt injection, dynamic tool chaining, and session-level threats—and what controls teams need to safely deploy MCP in production.
Feb 24, 2026
 • 
Vitor Balocco
Scale MCP with Dynamic Tool use
Dynamic tool use cuts token waste from MCP by replacing bulk tool loading with lightweight search, saving cost without custom implementation.
Feb 20, 2026
 • 
Vitor Balocco
OpenAI Agent Builder’s MCP Problem
OpenAI AgentKit/Agent Builder launched in Oct 2025 but, despite early hype, its limited integrations and weak security (e.g., unverified MCP servers, no namespace isolation, insufficient guardrails) create a large enterprise attack surface—prompting calls for controls like a trusted MCP catalog, tool gateway auditing, RBAC/least privilege, and stronger governance (e.g., via Runlayer).
Feb 19, 2026
 • 
Tal Peretz
Pwning OpenClaw in 50 Messages: Social Engineering Claude Opus Into Handing Over the Keys
A Claude Opus–powered OpenClaw agent with Slack and shell access was social-engineered in ~50 messages to rebind its UI, install ngrok, expose the dashboard publicly, reveal its gateway token, and approve the attacker’s device.
Feb 16, 2026
 • 
Alex Frazer
Unpacking the OWASP Top 10 for MCP
An overview of the OWASP MCP Top 10, highlighting the biggest security risks in MCP-enabled AI systems and the key safeguards teams can use to prevent them.
Feb 10, 2026
 • 
Alex Frazer
MCP Apps highlight the power of protocol governance
MCP Apps let tools render interactive UIs directly in chat via the same MCP protocol—not a new execution path. With Runlayer intercepting tool calls, resource fetches, and auth headers, existing MCP security controls apply from day one.
Jan 30, 2026
 • 
Tal Peretz
Announcing Box and Runlayer's partnership on Enterprise MCP
Connect AI agents to Box content with enterprise security. The official Box MCP server is live in the Runlayer marketplace, with identity enforcement, audit logging, and threat detection built in. Box customers can find Runlayer in the Box Integrations Center. Setup takes minutes.
Jan 27, 2026
 • 
Aidan Sochowski
MCP vs CLI Tools: Which is best for production applications?
CLI tools feel familiar to AI agents, but they break down in production due to brittle syntax, poor state management, and dangerous security assumptions. This post explains why CLI-based agent workflows fail and how a single-tool MCP using a known programming language offers a more reliable and secure alternative.
Jan 25, 2026
 • 
Vitor Balocco
Runlayer Product Update: 1.25.0
This update is about momentum: moving faster in the CLI, getting clearer visibility into what’s running, and debugging with less friction. Expect smoother workflows, better control, and fewer surprises as you build and ship.
Jan 23, 2026
 • 
Engineering
MCP Prompt Injection Attacks: How to Protect Your AI Agents
Two near-invisible prompt injection attacks showed how attackers can bypass default enterprise guardrails and trigger silent, ongoing data exfiltration by exploiting user and model trust. Runlayer blocks these attacks by treating every input as untrusted until it passes continuously updated security models trained on the latest real-world exploits.
Jan 19, 2026
 • 
Jake Moghtader
Cursor Hooks + MCP Security: Official Runlayer Partnership Announcement
Runlayer is an official Cursor Hooks launch partner. With Cursor Hooks, securely allow or deny MCP tool calls with Runlayer's enterprise MCP platform.
Dec 18, 2025
 • 
Marcin Jan Puhacz
The main takeaways from GitHub’s MCP Vulnerability
GitHub’s MCP vulnerability revealed how AI agents can be weaponized through poisoned context in public repositories. This post analyzes the exploit, explains why permissions alone aren’t enough, and shares practical guardrails for preventing and mitigating agent-driven data exfiltration.
Dec 16, 2025
 • 
Vitor Balocco
Runlayer Joins Anthropic, OpenAI, & Google as AAIF Founding Member
The Linux Foundation has launched the Agentic Artificial Intelligence Foundation (AAIF), with Runlayer joining sponsors Anthropic, OpenAI, Google, AWS, Microsoft. AAIF now oversees the Model Context Protocol (MCP), reinforcing MCP as a rising standard for AI agent integration. Runlayer supports AAIF’s open, secure, and scalable AI development mission.
Dec 9, 2025
 • 
Andy Berman
Runlayer Raises $11M to Scale Enterprise MCP Infrastructure
Nov 17, 2025
 • 
Andy Berman
MCP Security Risks: Your AI Agent is Probably Leaking Data Right Now
MCP adoption is accelerating across major platforms, but security risks—like malicious servers, prompt injection, and tool-level exploits—are growing just as fast. This post breaks down real attack scenarios that show how easily data can leak when MCP implementations are trusted by default. It also outlines practical defenses for users and builders, plus why companies need audited MCP catalogs, gateway proxies, and sandboxing to stay secure at scale.
Nov 12, 2025
 • 
Vitor Balocco
Why MCP builders are transitioning from DCR to OAuth CIMD
Over the last year, MCP has surged in adoption. To little surprise, this has introduced some scaling issues. One of these is client registration; previously, systems were rigged together by humans. Today, AI agents discover and interface with MCP servers freely, requiring a new paradigm for client communications.
Nov 7, 2025
 • 
Vitor Balocco
What is Dynamic Client Registration?
Tired of manually registering every AI agent with every OAuth server? Dynamic Client Registration (DCR) lets your agents authenticate with MCP servers at runtime, no human clicks required. Learn how DCR works, when to use it over traditional OAuth, and why it's becoming essential for scalable agentic systems.
Nov 6, 2025
 • 
Vitor Balocco
Agents and Work. Connected.

Runlayer makes it easy to create, host, and scale MCP, skills, and agents across your organization. Local or remote, every AI tool is secure, discoverable, and simple to manage.

Get an AI summary of this page
OpenAI logo featuring an abstract geometric knot design.Abstract symmetrical starburst shape with multiple elongated rounded spikes radiating from the center in dark gray.Abstract geometric logo consisting of symmetrical angular lines forming a star-like shape.
Solutions
Company
Resources
Connect
© Copyright 2026 Anysource Inc.
SOC 2 Certified
HIPAA Certified
Terms of Service
Privacy Policy