webMCP Isn't the New Accessibility Layer—It's a New Attack Surface: A governance-grade reframing of a playful demo
Sylwia Laskowska's webMCP article is clever, funny, and genuinely enjoyable—and she's explicit that it's experimental, not a production recommendation. This isn't a rebuttal. It's a reframing: the same demo, viewed through the lens of risk surfaces and governance. My concern isn't with her intent — it's with how easily newcomers building client systems may misread a playful demo as a pattern to copy. I. The Demo Was Funny Because the Risk Is Real In Sylwia's article, she writes: webMCP allows websites to expose structured information about available actions… Those "actions" aren't descriptive hints. They are callable functions wired directly into application logic. In her demo, those actions include: hire_employee fire_employee rewriteInRust pivotToAgents It's hilarious in a toy app. It's catastrophic in a real one. The humor works precisely because the underlying risk is real. II. The Hidden Assumption: Exposing Actions Is Neutral webMCP is framed as "like accessibility metadata." But accessibility metadata is descriptive. webMCP metadata is executable. That's the conceptual inversion most newcomers will miss. III. Structural Vulnerability #1: Unbounded Action Surface If a tool exists, an agent can call it. There is no: permission model capability scoping rate limiting intent validation safety envelope Sylwia jokes: "someone will definitely give an agent access to fireEmployee(), the agent will lay off the entire company…" This is not a hypothetical. It is the exact failure mode. IV. Structural Vulnerability #2: Agent Overreach Her CEO sim demonstrates the problem perfectly: the agent selected the appropriate tools and immediately got to work. Agents act with high confidence even when their world model is incomplete. webMCP gives them direct levers into application state. This is the same overreach problem MCP has—just moved into the browser. V. Structural Vulnerability #3: Protocol Brittleness webMCP relies on human-authored descriptions: html<form mcp-name="creat