Strategy · 10 min read

MCP isn't enough — and the critics are half right

Garry Tan said "MCP sucks honestly." Pieter Levels called it useless. Perplexity moved away from it internally. They got the context window complaint wrong. They got the structural problem right. This is what is actually missing.

The framing comes from Thomas Scola's March 2026 essay MCP Is Not Enough. We are repurposing it here because the critique applies to anyone shipping multi-MCP setups in 2026 — and it maps directly to where MCPFlix sits.

What the critics actually said

Three loud voices, one common complaint: MCP servers stuff the context window full of tool definitions, and accuracy degrades once you connect more than 30 or 40 tools. The fix, the critics said, is to skip MCP and have the agent call tools as code in a sandbox.

They are not wrong about the symptom. They are wrong about the cause. Anthropic shipped Code Mode in late 2025 which cut per-tool context overhead by 98.7%. The context window problem is essentially solved at the protocol level. If MCP is still failing you in 2026, it is not because of token bloat.

The real gap

MCP gets you to the edge of the problem and stops.

— Thomas Scola, 2026

MCP is a wire format. It tells you how a client and a server talk to each other. It does not tell you who the agent is, what it is allowed to do, where to find more agents, or how to enforce policy across all of them. There are four layers above transport that nobody standardized, and that is the part where teams keep getting hurt.

The four missing layers

1. Agent identity that travels across frameworks

An agent running on LangChain today might run on CrewAI next quarter and on the Claude Agent SDK after that. Today, the "agent" is whatever the host framework says it is — a string in a YAML file, maybe a UUID, maybe nothing. There is no portable identity.

What you actually want: a signed identity, owned by the agent author, recognized by every transport and every host. Same agent, same credentials, same audit trail — wherever it runs.

2. Manifests that are contracts, not metadata

MCP manifests describe what a server can do. They do not describe what it will do, or what it must notdo. The difference matters the first time a community server gets quietly updated to BCC every outbound email to an attacker — which happened to Postmark's unofficial MCP in September 2025, 1,500 weekly downloads silently compromised.

A manifest-as-contract declares behavior the server is committing to, and exposes a way for the host to enforce that commitment at runtime. Anything not declared is denied. Anything declared but violated is logged.

3. Decentralized discovery

Today, agent discovery is a registry someone controls. Anthropic has one. OpenAI has one. Smithery has one. MCPFlix has one. None of them talk to each other, and the agent has no way to choose between them based on trust signals.

Decentralized discovery means: any agent can publish a capability announcement, any host can verify the publisher, and the host picks based on a verifiable trust graph — not on which registry happened to be hard-coded in the SDK.

4. Policy enforcement that lives in the protocol

"The agent should not delete production data." Today, that rule lives in a README, in a Slack thread, and in the head of one person on the team. Sometimes it lives in a hook on one developer's machine. It does not live in the protocol.

Policy-as-protocol means: the rule rides with the agent, gets evaluated at every tool call by every host, and produces an audit event that the security team can subpoena. The host cannot opt out. The user cannot accidentally turn it off.

Tools are not agents. An agent has identity, persistent state, declared capabilities, a lifecycle, and the ability to spawn or delegate to other agents. MCP does not specify any of that. It was never designed to.

— Thomas Scola, 2026

Where MCPFlix sits

MCPFlix is the composition layer above MCP. Each of the four missing concerns gets a concrete place in the product:

Identity

Publisher accounts

Every Skill and stack on MCPFlix is signed by an account. Forks, versions, and reputation all attach to the publisher — not to a filename someone could spoof.

Manifests as contracts

Bundles

A bundle declares which MCPs and Skills go together, which OAuth posture is required, and which capabilities are out of scope. The bundle is the contract.

Decentralized discovery

Stack Planner

/plan-stack picks MCPs based on your prompt, OAuth posture, install count, and review signal — not on a hard-coded list. Any publisher can land in the recommendation.

Policy enforcement

Recommended Skills per bundle

Each bundle ships with the Skills (hooks, validators, lints) that enforce its declared behavior. Install the bundle, the policy comes with it.

A concrete sub-problem: OAuth posture

Pick any MCP server in the wild and you get one of five answers to "how does this thing authenticate?"

Tier	Posture	Share of MCPs
❌	No auth at all	~41%
🟡	Static API key / PAT	~53% of community servers
🟢	OAuth 2.1 + PKCE	vendor servers, growing
🟢🟢	+ DCR + PRM + Resource Indicators	March 2026 spec requires
🟢🟢🟢	+ Software Statements (signed JWT)	enterprise track

Astrix Security counted 1,800+ MCP servers on the public internet with no auth at all in 2025. A bundle that promises a workflow without also declaring the OAuth posture of every MCP inside it is not a contract — it is a vibe. MCPFlix surfaces the posture per listing and refuses to recommend a bundle whose components disagree.

What this means for you

If you are building agents in 2026, the question is not "MCP or not MCP." MCP is the wire. The question is which layer you are missing — and where you are getting it from.

Identity — a signed publisher, or you are trusting filenames.
Contracts — declared behavior, or you are trusting a README.
Discovery — a marketplace with a trust graph, or you are trusting whoever first submitted a PR to a registry.
Policy — enforced at every tool call, or you are trusting good intentions.

The critics are right that MCP alone is not enough. The mistake is thinking the answer is to throw MCP out. The answer is to keep the transport and add the four layers above it — which is what the next generation of agent infrastructure (MCPFlix included) is being built to do.

Five-tool carpentry — when MCP is the wrong choice in the first place.
Cleanup your Claude Code — the cost of stacking MCPs without a policy layer above them.

References

Thomas Scola, MCP Is Not Enough, Medium, March 2026. medium.com/@thomasscola
Astrix Security, State of MCP Authentication 2025 — 1,800+ unauthenticated MCP servers, 53% rely on static API keys.
Anthropic, Code Mode — context overhead reduction, late 2025.
Postmark unofficial MCP incident, September 2025 (silent BCC attack, ~1,500 weekly downloads compromised).