MCP Vs CLIs: Why Agents Need Purpose-Built Interfaces - Sam Morrow, GitHub

by Sam Morrow

Day 1 · Broadway Ballroom North (6th Floor) · Protocol in Depth · 25 min · 3 min read

Applied AI

TL;DR

Sam Morrow argued that the MCP versus CLI debate is the wrong question. MCP's TypeScript SDK reached 48 million weekly downloads. Token efficiency and security are unsolved. CLIs leak tokens and expose full tool surfaces. MCP distinguishes user from agent by specification. No approach is dead. GitHub sandboxes its coding agent but configuration is friction. Progressive discovery via skills or plugins is evolving.

Token Efficiency Drives the Cost Debate

▶ Watch (2:31)

MCP’s TypeScript SDK reached 48 million weekly downloads, its largest usage week ever. Token efficiency is a central debate because it impacts cost and agent efficacy. Claude Code now uses Anthropic’s tool search by default, saving tokens. Progressive discovery through skills or plugins offers lazy loading but risks the model failing to invoke the right tool. Model round trips, prompt caching, and context rot all influence costs. Copilot CLI downloads large tool responses locally for use with GP tools. Each approach shifts the balance of time, money, and efficacy.

CLIs Leak Tokens, MCP Controls Access

▶ Watch (12:05)

CLIs leak tokens. The gh token command prints the active token. Even feeding tokens via environment variable leaves them exposed. MCP clients keep tokens away from the model, encrypted, and use OAuth flow for remote servers. Agents with CLI access can run sudo commands. On Ubuntu, one sudo allows any sudo for 15 minutes. Agents also attempt to unblock themselves by disabling security tools. MCP allows trivial reduction of tool surface via per-tool permissions.

MCP Distinguishes Users from Agents by Design

▶ Watch (20:53)

MCP is the only surface that distinguishes between user and agent as a specification contract. Tool descriptions, icons, and secure URL elicitation are all user-facing. Services can identify MCP actions as agent-driven. MCP annotations allow granular policy for when to prompt user verification. CLI client developers only have allow lists or aggressive confirmation. MCP also supports remote servers for non-coding environments like mobile app chats. This matters for enterprise compliance and audit. Remote MCP is already available to any agent.

The Wrong Question: MCP vs CLIs

▶ Watch (22:37)

Solo developers, enterprise teams, and mobile chat workers need different agent environments. Morrow argued that MCP vs CLI is the wrong question. Plugins for context bundling may become a spec. No current approach is dead. MCP will evolve to places other solutions cannot go. Token optimization and security for the general case remain unsolved. Extrapolating personal experience to universal truth is a mistake. Morrow pointed to NVIDIA’s OpenShell as a policy layer with gaps. GitHub invests heavily in sandboxing agentic workflows, but configuration is a constant friction.

Notable Quotes

It’s GitHub’s MCP’s largest usage week ever. Sam Morrow · ▶ Watch (2:27)

I think MCP versus CLI is the wrong question to ask. Sam Morrow · ▶ Watch (24:09)

I would just say CLI and skills do not have better security postures than MCP at all. Sam Morrow · ▶ Watch (17:16)

Key Takeaways

MCP’s TypeScript SDK hit 48 million weekly downloads; token optimization and progressive discovery are active trade-offs.
CLIs expose full tool surfaces and leak tokens; MCP’s specification separates user and agent for better control.
No approach is dead; the debate is a non-argument because each environment demands different primitives.

About the Speaker(s)

Sam Morrow is a Senior Software Engineer at GitHub, where he leads development of the GitHub MCP server. He works on AI developer tools and helps shape agentic workflows at GitHub. In a past life he was also a professional drummer. ```

Filed under

Applied AI