Cold Open — Maybe MCP Is Just an Auth Gateway

Saturday, June 20, 2026. We scanned 2,418 items off the weekend wire, and we will be honest with you: it was a quiet one. Latent Space's own AINews roundup ran under the headline "not much happened today." So today's lead is not a launch. It is an argument — and it is one of the more clarifying things we have read about how agents should talk to the rest of the internet.

This is the print twin of today's Cold Open episode. Prefer it in your ears? Listen on the Cold Open feed.

The lead · Maybe MCP is just an auth gateway

For a year, the Model Context Protocol has been sold as the universal port for plugging tools into AI agents — the "USB-C of AI," as the pitch usually goes. This week, on a Hacker News thread that Simon Willison thought worth quoting on his blog, Sean Lynch offered a quieter and more useful framing. The headline value of MCP, he argues, was never the tools at all.

"The real valuable capability MCP offers over skills/CLI is isolating the auth flow outside of the agent's context window, and potentially out of the harness completely. [...] Maybe the idealized form of MCP is just an auth gateway for the API and nothing else. That'd still be a win." — Sean Lynch, on Hacker News

To see why that lands, look at what MCP has been competing with all year. Coding agents increasingly reach for two simpler things to get work done: plain command-line tools they can call, and skills — portable folders of instructions an agent loads on demand. Both are cheap, inspectable, and live right in the open where the agent already works. Against that, a full MCP server can feel like a lot of ceremony for "let the model call an API."

Lynch's move is to concede that fight and keep the part that actually has no good alternative. A CLI or a skill still has to get its hands on a token somehow, and the usual way — pasting a key into the prompt or the environment the model can read — drags the secret straight through the agent's context window, where it can be logged, leaked, or coaxed out by a prompt injection. An MCP server can hold that credential on the other side of the boundary, do the authenticating, and hand the agent only the result. The tool-calling is replaceable. The auth isolation is not.

Why it matters

If you build with agents, this reframing is a design rule you can use this week. The question stops being "MCP or CLI or skills?" as if you must pick a camp, and becomes "where does the secret live?" Capability — what the agent can do — is best expressed in the cheapest, most legible form available, which today is usually a CLI command or a skill file. Authentication — the thing you cannot afford to leak — is best pushed as far outside the model's view as you can get it, which is exactly what a thin MCP server is good for. Read this way, MCP and skills are not rivals at all. They are two different jobs, and most production stacks want both.

The fine print

Two honest caveats. First, this is a practitioner's comment amplified by a respected blogger, not a change to the spec or a vendor announcement — it is a sharp opinion, and the "[...]" in the quote means there is nuance we are not reproducing. Read the full thread before you redraw your architecture diagram. Second, plenty of real MCP servers do far more than gate auth today, and reasonable engineers still value the protocol's tool discovery and standard surface. The claim worth taking seriously is narrower and more durable: if you strip MCP down to only the auth gateway, it is still carrying its weight — and that tells you which part to protect when you simplify.

Sources: simonwillison.net — quoting Sean Lynch · original Hacker News comment

02 · Cloudflare hands AI agents throwaway accounts

Right on cue for the lead, Cloudflare shipped temporary accounts for AI agents — ephemeral, throwaway accounts an agent can spin up to deploy code without ever touching a human-shaped signup. The post opens with the exact friction Lynch is describing: "Everyone's writing code with AI agents today. But the moment an agent needs to deploy something — and needs to sign up and create an account — it slams face-first into a wall built for humans." Cloudflare's reasoning is that background AI sessions "have no human in the loop, and are becoming the norm," and that "trial-and-error is the agent's superpower" — agents need cheap, disposable deployment targets so they can write, deploy, and verify in a tight loop.

Why it matters. This is the lead's argument turned into infrastructure. The hardest part of letting an agent act on the world is almost never the doing — it is the account, the credential, the browser OAuth dance built for a person with a mouse. The platforms racing to remove that wall are the ones betting that autonomous, no-human-in-the-loop deployment is where this is all headed.

Sources: blog.cloudflare.com — Temporary Cloudflare Accounts for AI agents

03 · An agency cloned a beloved book with AI

The counterweight to a week about agents acting freely: Andy Baio documented how a polished new website appeared for The Dictionary of Obscure Sorrows, John Koenig's decade-long project of invented words for feelings we have no name for. The site had the author bio, the press mentions, the buy-the-book links — and, strangely, the entire text of the book, from its 800-word foreword to all 311 neologisms with their definitions and essays. What was missing: Koenig's original photo-collage illustrations, swapped out for AI-generated images. Baio calls it part of a broad trend "where people are using AI to repackage, optimize, and replace the authoritative sources it was trained on for profit."

Why it matters. The same agentic capability that makes a write-deploy-verify loop magical also makes wholesale plagiarism a weekend project. As builders, the uncomfortable half of the story is ours too: the tooling that ships our work faster is the tooling that strip-mines someone else's. Worth holding both in your head at once.

Sources: waxy.org — The Wholesale Plagiarism of Obscure Sorrows

Also on the radar

• Proposals on autopilot — AIPropel launched on Hacker News as AI-powered proposal generation for freelancers and agencies. Small, but a sign the "AI writes the boring document" category keeps subdividing into niches.
• A slow news day, on the record — Latent Space's AINews literally titled today's roundup "not much happened today." A useful reminder that the frontier does not actually move every single day, no matter what your feed implies.

Trends in dev tools

The radar was thin today, so here is where the tools engineers actually ship with are heading this month.

• The coding agents are converging on one blueprint — and a new name just joined. Per The New Stack's six-months-in review, Claude Code, Cursor, Codex, and Antigravity have largely settled on the same shape — terminal-native, approval-gated, subagent-capable — and Grok Build is now entering the fight on price and habit. The interesting contest is no longer "what can it do" but "which one fits how you already work."
• CLIs are being designed for agents first. This is the same current as today's lead: skills and command-line tools are winning the capability layer because they are cheap and legible, while MCP gets reframed as the thing that should own auth and little else. The command line is quietly becoming the default interface coding agents reach for.
• "Compose, don't choose" is becoming the production stance. The honest read across this month's coding-agent leaderboards is that the teams shipping fastest are not picking a single winner — they route different work to different agents and treat the lineup as a toolbox, not a religion.

Popular skills

The agent-skills wave kept compounding this week, and the story has clearly moved from "neat Claude Code feature" to "cross-ecosystem standard."

• SKILL.md is now a shared format, not a Claude thing. The same plain folder-of-instructions standard — a name, a description, and markdown instructions — is being read by Claude Code, Codex CLI, Cursor, Gemini CLI, and Copilot. Write a skill once, and increasingly it travels.
• The marketplaces multiplied, and now they compete on trust. Skills directories grew from a single registry to several major marketplaces in two quarters, and the differentiator is shifting to security — listings that get scanned before they are published, because a skill is, after all, instructions you are about to let an agent follow.
• Skills are being curated like products. Roundups such as Composio's top Claude Code skills and keyword-searchable indexes spanning over a million skills signal a real shift: the reusable unit of agent capability now has reviews, rankings, and a discovery problem of its own.

AI fun fact

Today's third story is sadder than it is fun, so here is the bright side hiding inside it. The book the agency cloned, The Dictionary of Obscure Sorrows, contains exactly 311 invented words for emotions we all feel but have no name for. One of them escaped the book entirely and is now used by people who have never heard of John Koenig: "sonder" — the realization that each random passerby is living a life as vivid and complex as your own, full of their own ambitions, routines, and worries. A made-up word, coined for a real feeling, that became real by being shared. Which is rather the opposite of what a copy-paste machine does to it. (waxy.org)

---

That's today's Cold Open. Today's episode is live — the same stories with one host's optimism and the other's caveats — over on the Cold Open feed.

Sources: Simon Willison / Sean Lynch · Cloudflare · Waxy · The New Stack · Latent Space · Build Fast with AI — Claude Skills guide