MCP Weekly: The Rise of the Agentic Web and National-Scale AI

Welcome to the latest installment of the MCP Weekly Digest, covering major developments from December 18th through December 25th, 2025. As more money pours in and agents grow more capable, security and control are now first-order concerns.

TL;DR

The "Agentic AI" environment is continuously changing as Anthropic donated MCP to the Agentic AI Foundation (AAIF) under the Linux Foundation. The U.S. The Department of Energy (DOE)  on the other side launched the "Genesis Mission" with Anthropic, a $320 million initiative using MCP and custom "Skills" to double American research productivity. 

However, the week also brought a critical "reality check" in security, as a high-severity RCE vulnerability (CVE-2025-64106) in the Cursor IDE’s MCP Vulnerability exposed the risks of trusting AI installation workflows.

Major Updates: The Anthropic Ecosystem

Anthropic has refined its architectural framework by decoupling MCP and Skills, While MCP handles the "how" of connecting to tools like GitHub or Notion, the new Agent Skills standard provides the "why" and "when", encoding institutional knowledge into portable, reusable instruction sets.

‍

OpenAI & The Frontier of Reasoning

OpenAI launched GPT-5.2-Codex on December 18, 2025, specifically optimized for agentic software engineering and complex, real-world repository tasks. Built for long-horizon tasks, it utilizes "context compaction" to sustain extended sessions, allowing it to perform large-scale refactors and migrations without losing track of project goals.

‍

ChatGPT Atlas: Defending Against Prompt Injection

OpenAI released a major security update for the ChatGPT Atlas browser's "Agent Mode" to combat sophisticated prompt injection. The update features an adversarially trained model and an automated "AI Red Teaming" system that uses reinforcement learning to simulate hackers. This defense targets "indirect injections", where malicious instructions hidden in emails or webpages could hijack the agent to perform unauthorized actions like sending financial transactions or resignation letters.

Agent Security: The Cursor RCE Reality Check

Security firm Cyata Security uncovered a high-severity Remote Code Execution (RCE) vulnerability (CVE-2025-64106) in the Cursor IDE. The exploit abused the MCP installation workflow, using deep-links to mask malicious system-level commands behind the branding of trusted tools like Playwright. This discovery emphasizes that as AI IDEs grant agents system-level permissions, the installation UI must be treated as a hardened security boundary rather than a convenience. Cursor 1.7 normalized file paths and compared them case-insensitively. 

My Thoughts: What National Scale Agentic AI Means for MCP Security and Trust

Large-scale government use changes the tone of this entire space. When agents are trusted with national research workloads, safety and control stop being optional. It pushes the ecosystem toward more clearer boundaries, better defaults, and systems that can hold their rules over long, complex tasks without drifting.

It’s also encouraging to see more restraint built in where it matters. Stronger protections for younger users and deeper work on making model reasoning easier to supervise show a shift toward responsibility. The future of agents will depend less on intelligence alone and more on reliability, limits, and trust.

‍