General 12 min read

AI Agents Can Now Reach Into Your Files. Here's What That Means.

MMNMNOTE
mcpai-agentslocal-firstmarkdowndata-ownershipmodel-context-protocol

In one year an open standard taught AI agents to reach into your files. The Model Context Protocol went from an internal Anthropic tool, open-sourced in November 2024, to over 97 million monthly SDK downloads and more than 10,000 active public servers by December 2025.12 The part that matters for your notes is quieter than the headline.

MCP is plumbing for AI. It is the interface an agent uses to read a document, query a database, or call a tool — a single connector instead of a custom integration per app. The explosion is real and primary-sourced. But the consequential fact is not how fast it grew. It is that reachability is now decided by two boring properties of your files: their format and where they live.

What is the Model Context Protocol?

The Model Context Protocol is an open standard for connecting AI applications to external systems — data sources like local files and databases, tools, and workflows. Anthropic open-sourced it in November 2024 and donated it to a vendor-neutral foundation in December 2025.23 It is the wire between an agent and the things it acts on.

The official documentation reaches for a hardware analogy. "Think of MCP like a USB-C port for AI applications," it reads. "Just as USB-C provides a standardized way to connect electronic devices, MCP provides a standardized way to connect AI applications to external systems."4 Before USB-C, every device shipped its own cable. Before MCP, every AI integration was bespoke. The standard is the shared port, and your notes are a device you can choose to plug in.

Why the growth happened so fast

MCP grew this fast because it solved a problem every AI company had and none wanted to solve twice. A standard connector means a tool built once works everywhere. By the project's own account, it became "one of the fastest-growing and widely-adopted open-source projects in AI," with first-class client support across every major platform.5

The numbers come from three independent primaries, all dated December 9, 2025, not a single vendor's marketing page. Anthropic's own announcement reports "97M+ monthly SDK downloads across Python and TypeScript" and "more than 10,000 active public MCP servers."1 The project's lead maintainer repeats the figures.5 The Linux Foundation, which now stewards the protocol, states "more than 10,000 published MCP servers" in its press release.6 Mike Krieger, Anthropic's chief product officer, put it plainly: "When we open sourced it in November 2024, we hoped other developers would find it as useful as we did. A year later, it's become the industry standard for connecting AI systems to data and tools."6

What it means that agents can read your files

It means an agent can read a file in place — where it sits, in its own format — instead of you copying text into a chat box. An MCP server exposes a folder; the agent reads it through a client. Nothing has to be uploaded to a vendor.4 The reaching happens on the file's home ground.

This is the inversion worth sitting with. For a decade the question was which app holds my notes. The agent era reframes it. The question is now can a tool reach my notes at all — and the answer is decided not by a feature you bought but by what your notes are made of and where they sit. A note locked in a proprietary database behind an export wall is hard to reach. A plain Markdown file in a folder on your own device is trivial to.4 That asymmetry is the whole story, and it predates every screenshot of an agent doing something clever.

Reaching in is also a way in

An agent that can read your files is, by construction, an attack surface. The access that summarizes your folder can also exfiltrate it. Researchers building access controls for MCP found that "thousands of MCP servers execute with unrestricted access to host systems, creating a broad attack surface."7 This is the default risk the spec was written against, not settled safety.

The protocol's authors saw it coming and made consent a requirement, not a courtesy. The MCP specification's first key principle states that "users must explicitly consent to and understand all data access and operations" and "must retain control over what data is shared and what actions are taken."8 But the specification also concedes its own limit: "MCP itself cannot enforce these security principles at the protocol level."8 Mandated consent narrows the surface. It does not seal it.

So the honest framing is not that agents reading your files is safe. It is that ownership is the strongest mitigation you control. Files on your own device, in an open format, read in place, with nothing copied to a third party, give you the smallest possible blast radius and the clearest possible audit: you can see what a tool touched, because the tool reached into a folder you can open yourself. That is a risk reduced, not a risk removed.

What to do with this tomorrow

Treat the protocol as proof of a thesis you can act on without installing anything. The agent era rewards files that are reachable on your terms — open in format, owned in location, and connected only with your consent. Three concrete moves follow from that, and none of them require MCP itself.

The substrate MCP assumes is the same one that protects you: files you own, in a format anything can read.

Frequently Asked Questions

What is the Model Context Protocol (MCP)? MCP is an open standard for connecting AI applications to external systems — local files, databases, tools, and workflows. Anthropic open-sourced it in November 2024 and donated it to the vendor-neutral Agentic AI Foundation under the Linux Foundation in December 2025.23 Think of it as a standard port between an agent and your data.4

How do AI agents read my files? An MCP server exposes a folder or resource; the agent connects through a client and reads the file in place, in its own format.4 Nothing is uploaded to a vendor for the agent to see it. The official documentation lists "local files" among the data sources an MCP-connected agent can reach.4

Is MCP safe for my data? It is a genuine attack surface and a controllable one. Researchers found "thousands of MCP servers execute with unrestricted access to host systems."7 The spec mandates that "users must explicitly consent to and understand all data access and operations,"8 but cannot enforce that at the protocol level.8 Ownership of the files is the mitigation you control.

Who created MCP and when? Anthropic introduced MCP and open-sourced it in November 2024.26 In December 2025 it was donated to the Agentic AI Foundation, a Linux Foundation directed fund co-founded by Anthropic, Block, and OpenAI, which made the standard vendor-neutral rather than the property of any single company.36

Does an agent reading my notes mean they leave my device? No, not by default. MCP lets an agent read a file where it sits. If your notes are plain text on your own device, an agent can read them in place without anything being copied to a third-party server.4 What leaves your device is a decision you make through the consent flow, not an automatic consequence of connecting.8

What does this mean for where I keep my notes? It means format and location now decide reachability. Plain Markdown in a folder you control is the agent-ready substrate — easy for a tool to read, easy for you to audit, nothing locked behind an export wall.4 A note trapped in a proprietary silo is the opposite on every count.

The protocol that taught agents to reach into your files did not change what a good note is. It revealed it. In 2019 Ink & Switch's local-first researchers argued you should own your data in spite of the cloud;9 the agent era simply adds that owned, open files are also the ones a tool can use — on your terms, where you can see it happen. If your notes are plain text on your own device, you were already ready, and the next thing to read is how that same format makes them AI-ready without any conversion, how you can feed them to a model as memory, and how to get an AI's outputs back out as notes you keep.

The fastest-growing protocol in AI is, underneath the velocity, an argument for the most boring file you own.

To keep notes that any agent can reach and you can still open yourself, mnmnote.com lives in your browser — plain Markdown, on your own device.

Footnotes

  1. "Donating the Model Context Protocol and Establishing the Agentic AI Foundation," Anthropic, https://www.anthropic.com/news/donating-the-model-context-protocol-and-establishing-of-the-agentic-ai-foundation, published 2025-12-09, accessed 2026-06-08. 2

  2. "Model Context Protocol," Wikipedia, https://en.wikipedia.org/wiki/Model_Context_Protocol, accessed 2026-06-08. 2 3 4

  3. "Linux Foundation Announces the Formation of the Agentic AI Foundation," Linux Foundation, https://www.linuxfoundation.org/press/linux-foundation-announces-the-formation-of-the-agentic-ai-foundation, published 2025-12-09, accessed 2026-06-08. 2 3

  4. "What is the Model Context Protocol (MCP)?", official MCP documentation, https://modelcontextprotocol.io/docs/getting-started/intro, accessed 2026-06-08. 2 3 4 5 6 7 8

  5. David Soria Parra, "MCP joins the Agentic AI Foundation," Model Context Protocol blog, https://blog.modelcontextprotocol.io/posts/2025-12-09-mcp-joins-agentic-ai-foundation/, published 2025-12-09, accessed 2026-06-08. 2

  6. Mike Krieger, quoted in "Linux Foundation Announces the Formation of the Agentic AI Foundation," Linux Foundation, https://www.linuxfoundation.org/press/linux-foundation-announces-the-formation-of-the-agentic-ai-foundation, published 2025-12-09, accessed 2026-06-08. 2 3 4

  7. Christoph Bühler, Matteo Biagiola, Luca Di Grazia, Guido Salvaneschi, "AgentBound: Securing Execution Boundaries of AI Agents," arXiv:2510.21236, submitted 2025-10-24, https://arxiv.org/abs/2510.21236, accessed 2026-06-08. 2

  8. "Specification (2025-06-18) — Security and Trust & Safety," Model Context Protocol, https://modelcontextprotocol.io/specification/2025-06-18, accessed 2026-06-08. 2 3 4 5

  9. Martin Kleppmann, Adam Wiggins, Peter van Hardenberg, Mark McGranaghan, "Local-first software: You own your data, in spite of the cloud," Ink & Switch, April 2019, https://www.inkandswitch.com/essay/local-first/, accessed 2026-06-08.