What is the MCP Bundle Format
Last November, the Model Context Protocol (MCP) project formally adopted the MCP Bundle Format (MCPB). MCP Bundles are ZIP archives that make it easy for developers to package and share local MCP servers. MCP Bundles work similarly to how a Chrome Extension or VSCode Extension works, but for AI chat applications—developers can easily expose MCP servers to a chat product via a file.
An MCP Bundle is a simple addition that makes it easy for users to integrate MCP servers with AI applications. For builders of integration-forward AI software—including chat applications, website builders, and data platforms—MCP Bundles lower the adoption barrier for custom integrations, potentially accelerating user onboarding and expanding the addressable ecosystem of third-party connectors.
However, MCP Bundles do not address any of the security considerations that need to be made when integrating business tooling with AI applications. MCP Bundles just make it easier to facilitate an AI integration; it doesn’t bolster or safeguard the connection anymore than MCP does. IT departments need to remember this: your employees might try to integrate unauthorized MCP servers onto AI chat apps that lack centralized governance, a classic shadow IT risk. Without an oversight layer like Credal sitting between agents and business systems, there's no way to enforce access policies or audit what these servers are doing. The short-term UX advantages of MCP Bundles don't outweigh the risk of ungoverned MCP servers connecting directly to business-critical tools.
What is MCP Bundle’s file format?
An MCP Bundle file is a ZIP archive with the .mcpb extension.
The only required file inside the archive is a manifest.json. This manifest declares everything a host application needs to know: the server's name, version, description, entry point, capabilities (tools and prompts), required user configuration (like API keys), and runtime requirements.
The format was originally developed by Anthropic under the name "Desktop Extensions" (DXT) before being transferred to the open-source MCP project in November 2025.
How do you integrate MCP Bundles into your AI application?
There are two sides to MCP Bundles: building a bundle and supporting bundles in your app.
If you're a developer who has built an MCP server and wants to distribute it, the MCP project provides a CLI tool that handles packaging. You point it at your server code, enter details, and it generates the manifest file: a single .mcpb file you can share.
If you're building an AI application and want your users to be able to install MCP Bundles, the MCP project has open-sourced the code that Claude Desktop uses to load and verify bundles.
MCP Bundles do not change your security posture.
An MCP Bundle is a packaging and distribution format. It makes it trivially easy to install an MCP server with one click. It does not add authentication, authorization, governance, or audit capabilities to the MCP server it contains.
The bundles themselves are auditable: you can extract and inspect every file inside. But they don't address the enterprise security requirements that matter when AI agents are connecting to business-critical systems.
If individual employees are installing MCP Bundles into their desktop AI clients, IT loses visibility into which servers are running, what capabilities they expose, and what data they're accessing or exfiltrating. There's no centralized policy enforcement, no real-time auditing, no persistent audit trail, and no way to revoke access across the organization. Each installed bundle is a standalone, ungoverned connection between an AI agent and your business systems.
The ease of MCP Bundles should not be an excuse for employees to unwittingly install a nefarious MCP server, introducing supply chain risk into the organization. Instead, organizations should route AI agent connections through a governance layer (like Credal) that can enforce least-privilege access policies, audit tool usage, and revoke permissions centrally.
Closing Thought: Credal
Credal makes it easy to connect AI to external tools without the security risks of unvetted connections. Sign up for a demo to learn how your organization can safely grow with AI without creating endless vectors for exploitation.
