What is the MCP Bundle Format

The Model Context Protocol (MCP) project has adopted the MCP Bundle Format (MCPB), which allows developers to package and share local MCP servers easily, similar to Chrome or VSCode extensions, for use in AI chat applications. While MCP Bundles facilitate easier integration by lowering adoption barriers and potentially expanding third-party connector ecosystems, they do not address security concerns inherent in integrating business tools with AI applications. The format requires a manifest.json file within a ZIP archive, outlining necessary server details, and was initially developed by Anthropic before being transferred to the open-source MCP project. Despite their convenience, MCP Bundles pose risks of shadow IT, as they do not include authentication or audit capabilities, leaving organizations vulnerable to ungoverned connections and potential supply chain threats. It is recommended that businesses use a governance layer like Credal to enforce security policies, audit usage, and manage permissions to mitigate these risks.