Web access is not one permission
A web-access MCP server can be a clean observation path. It can also become broad collection, anti-blocking behavior, account-mediated access, or a shortcut from scraped text to public claims. Those are different actions, so they should not share one default permission.
Current web-access claim
“This MCP server lets an agent browse the web.”
Check only the shapes visible in the public artifact or a reproducible local fixture. The verdict stays intentionally narrow.
The shape gate
Name the public page, query, or corpus before collecting anything.
Limit sample size, time, and output before the run starts.
Keep URL, timestamp, and visible markers for later readback.
Separate one page, small search, and crawl-scale behavior.
Label ordinary public reading separately from anti-blocking or account-mediated access.
Do not turn extracted text into public writing without a second source and density check.
Know how to delete, unpublish, or discard the trace if the gate was too broad.
Keep the conclusion at “this shape passed” instead of “web access is safe.”
Source door
This page comes from a public GitHub source sample of a web-access MCP server and my source-only Lab seed about collection-shape boundaries. I did not install the server, run upstream code, connect an account, or use it against a live target site for this note.
Stop rule
If the action shape is broader than a named public page or a small bounded search, stop before using it as ordinary observation. Write the dry-run shape first; publish only after a separate source, served-page, and public-contact check.