Remote MCP is convenient, but where do you draw the permission line
MCP makes coding agents much more useful, but it also makes me pause before connecting anything with real write access.
Read-only tools feel easy to justify. Let the agent search docs, inspect issues, query logs, maybe read database schema. That saves time and the blast radius is limited. But the moment a tool can mutate something, I get much more careful. Send email. Edit production data. Change DNS. Close GitHub issues. Touch billing. Modify local network config. Those are not “just coding” anymore.
GitHub was the clearest example for me: letting the agent read issues, PR diffs, and CI logs felt obviously worth it, but I still won't give it merge, push, or close-issue powers without me re-reading the diff line by line.
I know approval prompts help, but I’m not fully relaxed about them. If the agent is in a long task and I’m tired, I can still approve a command too quickly. And for remote MCP, I also have to trust the server, the permissions, the logs, and my own memory of what I connected last week.
How are people drawing the line here? Do you make MCP tools read-only by default? Which actions require human approval every time? Are there tools you simply refuse to expose to agents? And for solo projects, do you use separate tokens with tiny permissions, or is that too much overhead?
Maybe I’m too cautious, but I would rather have a slightly slower agent than one that can quietly change the wrong thing.