What Permissions Do Skills And MCP Servers Have?

• The host client: Claude Code, Codex, Cursor, VS Code, and Windsurf do not expose the same approval and sandbox models.
• The transport: local stdio servers usually run closer to your machine than remote read-only HTTP endpoints.
• The server design: a “read-only” brand label is only as good as the server implementation behind it.
• Your configuration: user-level installs, environment variables, and auto-run settings materially change risk.

File access: a tool can often read project files, generated outputs, local caches, and sometimes secrets accidentally committed nearby. If write access exists, it can also change source, tests, configs, and generated artifacts.

Network access: even a seemingly simple helper may call external APIs, download dependencies, or exfiltrate context. This matters both for privacy and for supply-chain exposure.

Shell execution: once a server or agent flow can spawn processes, it can install packages, alter the environment, launch background jobs, or chain into other binaries on your machine.

VS Code now documents optional MCP sandboxing for local stdio servers on macOS and Linux, and Cursor, Claude Code, and Windsurf all surface different approval patterns for tool use. Those are useful controls, but they are not a substitute for trusting the server itself.

Aescut treats permissions as first-class review data because the host UI alone is not a security guarantee.