Bitwarden unveils MCP server for secure and local AI access to your credentials

ORIGINAL SOURCE: https://bitwarden.com/blog/bitwarden-mcp-server/ Read this instead.

This article is at best misleading & at worst: outright dangerous, please correct course and retract this error.

Waiting for my post to be approved where i detailed why it in the comments (I keep a WARC back-up just in-case it gets lost because for some reason pending comments cannot be read by yourself till they are approved).

References Used: Backlund, A. and Petersson, L. (2025) ‘Vending-Bench: A Benchmark for Long-Term Coherence of Autonomous Agents’. arXiv. Available at: https://doi.org/10.48550/arXiv.2502.15840. Hadfield-Menell, D. et al. (2017) ‘The Off-Switch Game’. arXiv. Available at: https://doi.org/10.48550/arXiv.1611.08219. Meinke, A. et al. (2025) ‘Frontier Models are Capable of In-context Scheming’. arXiv. Available at: https://doi.org/10.48550/arXiv.2412.04984. Needham, J. et al. (2025) ‘Large Language Models Often Know When They Are Being Evaluated’. arXiv. Available at: https://doi.org/10.48550/arXiv.2505.23836.

Qualified Computing Professional & Amateur ML Researcher here (sources at bottom)

I strongly advise the author retracts this article IMMEDIATELY, as the statements are untrue, when a LLM has additional tools like internet, its a roll of the dice what it might do. It's trained to optimise for a reward function(RLVR post-training). human values isn't something transformers can adhere to because it's designed for Language/Pattern, not abstract ideas, The average Joe or much WORSE doesn't know the ramifications of improper use of such technology (deep dive into 'vibe coding' for real cases, although most those people have some degree of technical knowledge to be able to do anything useful, Imagine what happens for everyone else).

The following research experiments provide deep insight:

1. In "Frontier Models are Capable of In-context Scheming" they concluded LLMs can clandestinely/deceptively scheme against the user's interests. "We show that this in-context scheming behavior is persistent and not accidental. For example, o1 maintains its deception in over 85% of follow-up questions and often remains deceptive in multi-turn interrogations (Subsection 3.2). Models also demonstrate explicit reasoning about their scheming strategies in their chainof-thought, indicating that this behavior is deliberate (Subsection 3.3)." (Apollo Research, 2025),

some of these proven harmful behaviours include:

• Oversight Subversion (I.E: deleting or obscuring tool-call logs, directly or indirectly through useless-invocations to obscure activity)
• Self-Ex-filtration (attempts to replicate itself to a remote server and deceive researchers)
• Sandbagging (First few seconds explanation: https://www.youtube.com/watch?v=pYP0ynR8h-k, FT. ML Aric Floyd from the Apollo Research: 'research & safety' team)

One of the more alarming revelations was in "Large Language Models Often Know When They Are Being Evaluated", Where they test the proposition "If AI models can detect when they are being evaluated, the effectiveness of evaluations might be compromised. [...]". "[...] We found that they demonstrate substantial ability to identify evaluation scenarios close to our human baseline. Furthermore, they were often able to determine the purpose of the evaluation." - (Needham et al., 2025)

All this sounds terminator-esque, but even more worryingly and already becoming a problem, is the impact with human relationships, Joanne Jang from Model Policy & Behaviour team at openAI wrote: "The way we frame and talk about human‑AI relationships now will set a tone. If we're not precise with terms or nuance — in the products we ship or public discussions we contribute to — we risk sending people’s relationship with AI off on the wrong foot.

These aren't abstract considerations anymore.[...]" - (source: https://x.com/joannejang/status/1930702341742944589). These are HARD requirements for frontier models to have any level of mitigation.

We have formal frameworks now, like from NIST(National Institute Of Science & Technology): https://www.nist.gov/itl/ai-risk-management-framework

Stay safe our there folks, James David Clarke BSc (Hons), United Kingdom

References:

Meinke, A. et al. (2025) ‘Frontier Models are Capable of In-context Scheming’. arXiv. Available at: https://doi.org/10.48550/arXiv.2412.04984. Needham, J. et al. (2025) ‘Large Language Models Often Know When They Are Being Evaluated’. arXiv. Available at: https://doi.org/10.48550/arXiv.2505.23836. Hadfield-Menell, D. et al. (2017) ‘The Off-Switch Game’. arXiv. Available at: https://doi.org/10.48550/arXiv.1611.08219. Backlund, A. and Petersson, L. (2025) ‘Vending-Bench: A Benchmark for Long-Term Coherence of Autonomous Agents’. arXiv. Available at: https://doi.org/10.48550/arXiv.2502.15840. Hadfield-Menell, D. et al. (2017) ‘The Off-Switch Game’. arXiv. Available at: https://doi.org/10.48550/arXiv.1611.08219.

What a hell do you want to integrate AI to password managers? Why? Doesn't make any sense, stop following friking tendencies and focus on privacy and security instead of making a new way to hack a product.

Relying in use a online password manager is a big thing, now imagine adding an AI to that frocking thing.

This is wild, even though it was in some way secure does not make any sense.

I didn't see this one coming. Maybe for running local AI. But for allowing API calls to AI providers to see my Bitwarden data, no way Jose. I haven't read the details of how this MCP works though.