Model Context Protocol Tools in Legal LLM Deployments

The use of large language models – the technology behind ChatGPT, Claude, and other “AI” service providers – bears heavily on the legal profession. The American Bar Association reports that adoption rates for the tools is highly correlated to firm environment, with capital rich big players adopting usage at nearly half of all large firms, but less than a fifth at small firms.¹

That is unfortunate. Small firms (less than 6 attorneys) comprise 75% of all attorneys.² Small firms provide significantly more “unbundled” legal services arrangements,³ filling gaps in access to justice for the great bulk of the population that cannot (or will not) employ large firms.

The use of model context protocol (“MCP”) tools is one quick, easy and inexpensive way for small law firms to adopt highly beneficial AI technologies without undertaking the type of capital intensive development projects typical of large firm AI usage. MCP tools are an open standard application-level protocol that enable AI systems (LLMs like Claude, GPT, etc.) to connect with and use external tools, APIs, data sources, or services.⁴ In effect, an MCP tool is like a universal adapter that allows LLMs to manipulate data using natural language. For instance, using an MCP tool, you can type into Claude or Chat GPT⁵ using natural language and have it update your case notes, contact notes, or tasks.

For example, in an environment with less resources for note taking and file organization, you can use a model context protocol tool to mass update contacts in your client database; to create a call note for a particular client, saving it to the client’s matter record; to survey tasks assigned to tasks (“Show me Jim’s outstanding tasks on the X matter”); assign tasks; summarize and respond to email or text messages; create notes about work performed and time; and many other practical, low level administrative tasks. All of that from a single, natural language user interface that is easy to set up and free.

This is not Skynet. It is a highly efficient way of reducing administrative burdens experienced by small law firms to allow lawyers to focus more on zealously advocating and dutifully serving their clients interests, rather than wrestling with opaque user interfaces across 5 different applications used in silos.

Equally, this is not intentionally making public or risking client information confidence. Existing legal tech implementations from established players are at present dedicated to not make this useful technology available, because it would mean that small law firms need not be bilked into shelling out $1,000 a month for their purportedly “proprietary” technology as an add on to their services.

They do so on the basis of fear mongering abouts security with MCP tools. The fears have some merit in the same way that driving car always risks serious injury. But the risk is avoidable with intelligent deployment of MCP tools. The biggest risk lies in two species of “prompt injection,” where a malicious third party user directly alters the behavior of the model or when a third party like a website or uploaded file modifies the behavior of the model.⁶

Mitigating risk associated with unauthorized disclosure of client information through nefarious third parties is incumbent upon practicing attorneys.⁷ To do so, attorneys adopting MCP workflows into their processes ought adopt the following best practices:

1. Enforce Least Privilege and Scoped Access. MCP tools should be narrowly scoped to the minimum permissions required. Avoid exposing open-ended interfaces (e.g., unrestricted shell, full database access). Limit tool parameters and data returned to the model.⁸
2. Require Explicit Consent and User Visibility. Attorneys should indicate use of AI technologies in their retainer agreements.⁹ Like wise, High-risk tool actions (e.g., sending emails, modifying records, financial transactions) should require user consent or confirmation. Expose clear logs and UI affordances so that users understand when and why a tool was invoked.¹⁰
3. Defend against prompt injection. Prompt injection is the leading risk to MCP-connected agents. Defenses include: Input/output filtering (strip or neutralize suspicious instructions); Allow-lists for tool calls and domains; Runtime policy engines to evaluate whether a tool action is safe; Continuous red-teaming for indirect prompt injection through files, URLs, and RAG contexts.

Finally, the above described defenses and risks apply most strongly to the development of client facing applications that use MCP tools. But using an MCP tool in a local environment – for instance, with a local server monitoring studio output from a desktop LLM client using tool calls – does not have the same level of risk. A single person or small law firm using these types of tools to manipulate data, analyze performance, and keep good records is a positive development for law firms and will enable broader and more effective advocacy and access to justice.