CLI > MCP: When a Bash Command Beats a Protocol Server

The 32x Tax#

Same question. Same repository. Same AI model.

CLI: 1,365 tokens. MCP: 44,026 tokens. Both got the right answer.

That’s a 32x difference on the simplest task in ScaleKit’s benchmark, which ran 75 queries against the GitHub MCP server versus equivalent CLI calls. Across five tasks the CLI came in 10-32x cheaper, averaging a 17x reduction in monthly cost ($3.20 vs $55.20). And it gets worse: CLI had 100% reliability (25/25). MCP had 72% (18/25) — the other seven runs were ConnectTimeout failures. The cheaper option was also the one that actually worked every time.

I like MCP. I wrote a whole post about useful MCP servers. I still use some of them daily. But these numbers forced me to reconsider when I reach for an MCP server versus a terminal command.

Four MCP servers still live in my config. This piece is about the ones I pulled out.

The Protocol Tax#

Every MCP server pays a tax the moment it connects: schema tokens.

Mario Zechner measured it: Playwright MCP ships 21 tools and 13,700 tokens of schema — 6.8% of Claude’s context gone before the first question. Chrome DevTools MCP is worse, at 26 tools and 18,000 tokens. Zechner’s CLI-based alternative for the same browser-automation workflows: 225 tokens. That’s a 60x reduction.

Meanwhile: gh pr list --state open costs about 200 tokens. Zero schema overhead. Zero setup. You already have the gh CLI installed.

The pattern is consistent. MCP servers front-load complexity. They dump their entire capability surface into the context window at session start, whether you need those capabilities or not. A CLI tool loads nothing until you call it. You pay for exactly what you use.

Here’s the kicker — Anthropic knows this. Their own engineering team demonstrated a 98.7% token reduction on one worked example, from 150,000 tokens down to 2,000, by having the model write code that calls MCP tools instead of invoking each tool directly. The creators of MCP routed around the protocol’s default mode to make their own agents affordable. They still recommend MCP — they just wrap it in code execution rather than firing tool calls one at a time.

That’s not a criticism of MCP’s design. It’s a recognition that protocols have overhead, and overhead has costs. The question is whether those costs buy you something you actually need.

Unix Had This Figured Out#

The Unix philosophy, applied to AI tooling:

1. Do one thing well.
2. Compose via pipes.
3. Text is the universal interface.

# Check if a GitHub PR has failing checks
gh pr checks 42 --repo owner/repo | grep -c "fail"

One line. Zero dependencies beyond gh. Zero configuration. Zero schema tokens. If the output is wrong, you debug it with echo and |. The feedback loop is instant.

MCP is solving in 2026 what Unix solved in the 1970s — a way for independent tools to communicate and compose. The difference: Unix has had 50 years of battle-testing. Pipes, redirects, subshells, xargs — these primitives are rock-solid. MCP’s composition model is still v0.1.

The previous paragraph is not nostalgia. Pipes, redirects, subshells, and xargs have had fifty years of battle-testing; MCP’s composition model is still v0.1. Both will get better, but today, when I need two tools to talk to each other, the older primitives beat protocol negotiation — and the gap will take years to close.

A concrete comparison:

# CLI: Get the last 5 commit messages from a repo
gh api repos/owner/repo/commits --jq '.[0:5] | .[].commit.message'

# MCP: Requires github MCP server running, 55K schema tokens loaded,
# then: "get the last 5 commit messages from owner/repo"
# Same result. 50x the cost.

The CLI version is greppable, scriptable, pipeable, and cacheable. The MCP version is conversational. Conversational is nice when you’re exploring. But when you know what you want, precision beats conversation.

The Security Elephant#

The numbers here are uncomfortable.

Dozens of CVEs in early 2026. The Vulnerable MCP Project has catalogued more than fifty vulnerabilities across MCP servers and clients since the protocol took off, with new ones landing every few weeks through Q1.

41% of servers in a February 2026 scan of the official MCP registry had no authentication — 214 out of 518 surveyed. Four out of ten servers let anyone connect and execute actions.

mcp-server-git — Anthropic’s original reference implementation, now maintained under modelcontextprotocol/servers — shipped two path-traversal flaws and one argument-injection flaw (CVE-2025-68143, -44, -45), chainable to remote code execution. The project that defined the protocol published a reference server with a direct path to RCE.

mcp-remote — a package with over 437,000 cumulative downloads at the time of disclosure — shipped CVE-2025-6514, an OS command injection in its OAuth flow scored CVSS 9.6. That’s near-maximum severity on the standard scoring scale.

Each MCP server is a new attack surface. Each one runs with your permissions, accesses your files, and can make network requests. A CLI command does too — but you can read the command before it runs. You can see exactly what curl is doing. An MCP tool call is a black box unless you audit the server’s source code.

I’m not saying MCP is inherently insecure. I’m saying every new server you install increases your attack surface, and most developers don’t audit what they install. A curl command has exactly one dependency: curl. Investment in simplicity is investment in security. Every dependency you don’t add is a vulnerability you don’t have.

The Simplicity Gradient#

Here’s the framework I actually use when deciding how to solve a tooling problem. Same example throughout — checking GitHub PR status — at each level of complexity.

Level 1: curl + jq#

One-off queries. Quick checks. Zero setup.

curl -s "https://api.github.com/repos/owner/repo/pulls/42" \
  | jq '{state, title, mergeable}'

No installation. Portable. Works on any machine with a shell. Use this when you need an answer once and don’t plan to ask again.

Level 2: Shell script#

Repeatable tasks. Something you’ll do more than twice.

#!/bin/bash
# pr-status.sh — check all open PRs with their check status
gh pr list --state open --json number,title,statusCheckRollup \
  | jq '.[] | {
      number,
      title,
      passing: (.statusCheckRollup | all(.conclusion == "SUCCESS"))
    }'

A file you can commit, version, and share. Use this when the task recurs but doesn’t need to be automatic.

Level 3: Claude Code Hook#

Integrated into the AI workflow. Runs without you remembering to run it.

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "command": "node ./hooks/check-pr-status.js"
      }
    ]
  }
}

I covered hooks in detail in my hooks post. The key insight: hooks execute shell commands. They inherit all the composability of Level 1 and 2. They’re CLI tools with automatic triggers.

Level 4: MCP Server#

Full integration. OAuth, streaming, complex state management.

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "your-token"
      }
    }
  }
}

The complete GitHub API surface. OAuth handled. Bidirectional. Use this when you need the full integration — issue creation, PR review comments, webhook management, cross-repo operations — not just read access.

The Mistake#

Each level adds capability and complexity. The mistake is jumping to Level 4 for a Level 1 problem. I’ve done it. You’ve probably done it. The shiny new protocol is right there, and it feels more sophisticated than a bash one-liner.

But sophistication isn’t the goal. Solving the problem is.

When MCP Wins#

MCP is the right choice in specific situations, and pretending otherwise would be dishonest.

OAuth-protected APIs. Slack, Google Workspace, Microsoft Graph. MCP abstracts the entire auth flow — token refresh, scopes, redirect URIs. Doing this in bash is technically possible and practically miserable. If you’ve ever hand-rolled an OAuth2 PKCE flow in a shell script, you know what I mean.

Bidirectional communication. MCP supports Resources (server pushes data to client), Prompts (server offers templates), and Elicitation (server asks the user questions mid-conversation). CLI is inherently one-directional. You invoke a command, it returns output, done.

Complex stateful interactions. A Figma MCP server maintains context about your design file across multiple tool calls. Recreating that state management in bash would be absurd — and I wouldn’t try.

Team-maintained integrations. Supabase MCP, Vercel MCP, Figma MCP — these are maintained by dedicated teams who know their APIs better than you do. The alternative isn’t “write a bash script.” It’s “don’t integrate at all.”

The MCP servers I recommended in my earlier post? I still use them. Supabase MCP is worth every one of its schema tokens because the alternative is manually writing SQL and copy-pasting results. Figma MCP is worth it because there’s no CLI equivalent for reading design files.

The question isn’t “is MCP good?” It’s “is MCP necessary for this task?”

Reach for the Simple Thing First#

BCG surveyed 1,488 US knowledge workers and found a 4-tool cliff: self-reported productivity rises with 1-3 AI tools in a workflow, then crashes when people add a fourth. Developers are a subset of that population, and the same pattern plays out in daily workflow — the question is using the right tool at the right level of the simplicity gradient, not racking up integrations for their own sake.

The best tool is the one with the fewest moving parts that still solves your problem.

MCP at 97 million monthly SDK downloads and 10,000 active public servers isn’t going anywhere. It shouldn’t — it solves real problems that CLI can’t touch. But curl | jq isn’t going anywhere either. Pipes have been composing tools since before most of us were born.

When you reach for a tool, start at Level 1. Ask: does this solve it? If yes, stop. If no, move to Level 2. Keep going until the problem is actually solved. Most of the time, you’ll stop before Level 4.

The 32x token tax on simple queries is real. The dozens of MCP CVEs are real. The 41% of unauthenticated servers are real. None of those numbers are reasons to abandon the protocol — they are reasons to be deliberate about when you reach for it.

The 32x tax does not vanish by calling it something else. Start at Level 1. Most days you will stop there.