In the previous chapter, we ran a minimal agent that connects tools to the brain (LLM) and turns its own loop. That experience should have made one thing clear — an agent's capability is decided almost entirely by "what tools it's connected to." In this chapter, we escape the grind of hand-building those tools every time and learn to connect to external tools and data in a standard way, through a common standard called MCP (Model Context Protocol). MCP was born with Claude and is now becoming the industry-wide standard for connection.

What you'll gain in this chapter

The goal: "connect safely via a standard, without hand-building tools"

Understand how MCP works
Grasp the client-and-server relationship and the idea of a "plug it in and it works" common standard.
Leverage existing servers
Get a feel for connecting ready-made MCP servers — files, DBs, search, SaaS, and more.
Hand over tools safely
Learn the principles of how to hand over tools — least privilege, quality of descriptions, and handling dangerous tools.

Why tool integration is the crux of an agent

An LLM on its own, no matter how smart, can only "produce words." Knowing the latest stock count, writing a single line to a file — none of that is possible without a means to touch the outside world. An agent can turn its "investigate, execute, verify" loop only because it holds tools that act on the outside.

In other words, the ceiling of an agent's capability is set by the quality and number of tools it's connected to. With the same LLM, an agent that has only a calculator and one connected to a database, search, files, and internal APIs can do wildly different things. It's not unusual for connecting good tools precisely to boost perceived capability far more than swapping in a fancier brain.

💡 "Well-equipped" beats "smart." Even a brilliant person can do nothing with an empty toolbox. Much of the time in agent development actually goes into designing "which tools to hand over, and how to do it safely." This chapter is at the core of that.

The limits of raw tool definitions

In the previous chapter, we defined tools by hand. Write a function, pass its name, arguments, and description to the LLM, and run it and return the result when a call comes in — this flow itself is correct, and still fundamental. The problem is rebuilding this from scratch every time, per tool, per project.

Take a "tool that searches a database," for example. Write the connection handling, assemble the query, format the result, handle errors, deal with credentials safely… Everyone implements this whole set on their own — in your project, in the team next door, in a different language. The same tool is being reinvented over and over by developers worldwide — that's the reality of raw tool definitions.

🔁 Hard to reuse

A tool written for one project is bound to that framework and that language, making it hard to carry elsewhere.

🧱 N×M combinatorial hell

Connecting M kinds of tools to N agent platforms needs, in theory, N×M pieces of connection code.

🔧 Maintenance scatters

Every time a connected service's spec changes, you end up fixing your home-grown tools scattered all over, one by one.

This is a lot like the era when every peripheral needed its own dedicated cable. A dedicated port for the printer, another for the mouse — the more devices, the more the kinds of connections explode. With a "common port," this hassle disappears all at once. That's where MCP comes in.

What MCP is — a common standard for tool connection

MCP (Model Context Protocol) is an open standard for connecting AI to external tools and data in a standard way. Anthropic released it for Claude at the end of 2024, and various AI tools and services adopted it afterward. As of 2026 it's widely adopted across vendors and is growing into an industry standard cultivated under neutral governance. What matters is that it's a common specification anyone can implement, not the product of a single company.

In a phrase, the idea of MCP is "USB for AI tool connection." Just as USB let peripherals from any manufacturer work through the same port, a tool that supports MCP "plugs in and works" with any MCP-capable agent. By having builders and users follow the same set of conventions, N×M combinatorial hell folds down to "N + M."

🧑‍💻 MCP client
The agent (the side that uses tools)

The agent you build, or an app such as Claude, sits here. It's the side that asks the server "what tools are connected now?" and calls the tools it needs.

🔌 MCP server
The side that provides tools

The side that bundles and exposes capabilities as "tools" — file operations, DB search, SaaS integration. A single server can hold multiple tools.

The two converse via a fixed procedure. When the client connects, it first receives from the server "a list of usable tools" and "the description and arguments of each." The LLM looks at that list, picks a tool that fits the goal and calls it, and the server executes and returns the result — this round-trip working without per-tool custom implementation is the crux of MCP.

The basic MCP exchange (illustrative)
Client -> Server : "Tell me the tools you have"
Server     -> Client : "search_docs / read_file / query_db — three, with these descriptions"
LLM decides: "Let's call query_db with args {sql:"..."}"
Client -> Server : "Run query_db"
Server     -> Client : "Here's the result: these rows"

There are mainly two ways to expose a server: the local type, run as a process on your own machine, and the remote type, connected to over a network. Local suits your own files and a development DB; remote suits team-shared SaaS integrations and the like. Both share the same convention of "receive a tool list and call," and the client-side handling barely changes.

📖 Start from the big picture. Reading the "What is MCP" explainer, which gently sorts out MCP's origins, terminology, and adoption, first will make this chapter go down smoothly. The details of the spec and its versions evolve fast, so always check the latest in the official docs before implementing.

Using and building MCP servers

The best part of MCP is that you can use servers already published out in the world as-is. For most commonly used tools, someone has already prepared an MCP server. Connect it to your own agent and its capability grows all at once, without reinventing the wheel.

📁 Files / local

Read/write a designated folder. A foundation for having it read documents or write out deliverables.

🗄 Database

Run SQL and inspect schemas. It can answer "total this up" by querying real data.

🔎 Search / retrieval

Web search or internal knowledge search. Becomes an "investigating hand" that pulls in fresh information and evidence.

☁ Various SaaS integrations

Issue tracking, chat, storage, and so on. Turn your existing business tools into the agent's hands and feet.

The connection procedure itself is simple. Just start the server you want (or specify its URL) and register the server's location and credentials in the client-side settings. After that, the agent receives the tool list on connection and calls tools as needed. You don't need to write "the guts of a DB search tool." Your job becomes combining the provided tools to fit your goal.

⚠️ "It's handy, so connect everything" is a mistake. Every server you add means as many more tool descriptions passed to the LLM, scattering its judgment and widening the room for misuse. The rule is to connect only the tools that agent truly needs for its purpose. Too many tools actually lower accuracy.

You can build your own server too

For a tool with no ready-made server — an in-house proprietary API, special business logic — you can simply write your own MCP server. This is MCP's beauty: once you publish it as a server, any compatible agent can use it the same way. A tool built for one project can be reused in the next project, and by another agent on the team, with no rewrite.

The guts of building a server are: "define the capability you want to provide as a tool, declare its name, arguments, and description, and when called, run the processing and return a result." The idea is the same as the raw tool definitions you wrote in the previous chapter, but the decisive difference is that the output goes not to "a specific agent" but to "the common MCP port." The effort to build is one-time; the reuse is endless.

🛠 If you're going to dive into implementation. For concrete code to build agents and tool connections with Claude, Getting started with the Claude Agent SDK is practical. The SDK has built-in mechanisms for handling MCP servers, and both connecting ready-made servers and building your own can be done by following the steps in the official docs.

What tools to give, and how

Once you can "connect" tools, the next question is "what to give, and how." This is the design crux that governs an agent's quality and safety, and it's also the foundation for the chapters ahead. Let's pin down three principles.

① Keep privileges minimal

Give only the tools and scope that task needs. "If reading is enough, don't hand over write access." A read-only limited account for a DB, only the target folder for files — that's the baseline.

② The description quality is everything

The LLM decides whether to use a tool relying solely on its description. Concretely write "what the tool does, when to use it, what the arguments mean, and when it must not be used." A vague description breeds misuse.

③ Treat dangerous tools separately

Don't place irreversible operations — writing, deletion, billing, command execution — on the same footing as read-only ones. Always attach pre-execution confirmation, target restriction, and logging.

③ is especially important. "Investigating" tools (search, reference, reading) rarely cause much harm if called by mistake. But "changing" tools (writing, deletion, sending, execution) can produce irreversible results from a single misstep. The rule is to deliberately separate read-only from write tools and layer extra guards on the latter.

Type Examples Risk How to hand it over
Read-only Search, reference, file reading Lower (mind how you handle the information) Relatively freely. Narrow the scope
Write File updates, DB writes, sending High (hard to undo) Confirmation, restriction, logging required
Execution Command execution, external calls, billing Highest (gateway to runaways and abuse) Guard by default + insert human approval

🔒 We do this thoroughly in Chapter 6. Controlling dangerous tools, defending against prompt injection, and designing approval flows are unavoidable themes for putting an agent into production. We cover them together in Chapter 6, "Guardrails and safety," so for this chapter just take away the sense that "tools differ in how dangerous they are." Not carelessly connecting untrusted MCP servers is another important habit.

Advanced tools such as browser control

Among tools, one that has drawn particular attention recently is browser control. Look at the screen, follow links, fill in forms, press buttons — if you can hand the operations a human performs in a browser to an agent, many web services with no dedicated API turn into its "hands and feet." Implementations that provide browser control as an MCP server have appeared, and the barrier to connecting has come down.

That said, this is also one of the most powerful and highest-risk tools. The danger of taking on-screen instructions at face value (manipulation, disinformation), unintended clicks or submissions, exposure of credentials — the cautions for "execution" tools in the previous section apply squarely. The wise course is to start with read-leaning uses like browsing and information retrieval, and add careful guards around operations that involve writing.

🌐 How much can you delegate? The realistic capabilities and limits of browser-control agents are examined concretely in How far can AI automate browser tasks. Keeping the sense of "not a cure-all, but practical if you narrow the use case" will keep your tool choices steady.

Browser or not, the more advanced a tool, the more "what it can do" and "what might happen" grow in proportion. The stronger the tool you hand over, the more carefully you apply the three principles of privilege, description, and guards — that's the message this chapter has repeated throughout.

Chapter summary
  • An agent's capability is decided by the quality and number of tools it's connected to. Tool design often matters more than the brain.
  • Hand-building raw tools is hard to reuse and turns into N×M combinatorial hell. You come to want a common port.
  • MCP is an open standard for connecting AI and external tools in a standard way. It's a "USB for AI" where client (user) and server (provider) converse by the same conventions.
  • Ready-made MCP servers (files/DB/search/SaaS) can be plugged in and used, and custom tools can be made into your own servers and reused.
  • The principles for handing over tools are ① least privilege ② quality of descriptions ③ treat dangerous tools separately. The stronger the tool — like browser control — the more careful.

Once you know how to equip tools, the next stage is "scaling up the agents." We move on to designs that divide and coordinate work — too much for one agent — across several. In the next chapter, Chapter 4, "Multi-agent design," let's learn division of labor and coordination between agents (A2A).