Save 100× of your tokens?! The creators of MCP themselves, Anthropic, suggesting a transition to Code Mode. Here's what you need to know and what to be careful about.
Recent papers by Anthropic, Cloudflare and others suggest that the way many organizations use MCP today burns far more tokens than necessary (often cited as ~100×).
Simply, it's because the agent is sending all the tool descriptions of its MCPs to the LLM context with every request. So they suggest (following Cloudflare's post) letting the agent write code that dynamically selects the correct tool for the task.
They showed in one example a workflow reduced from 150k tokens to 2k tokens.
Of course, the security risks are clear (and already stated by others), and solutions such as sandboxing and isolation, identity & audit, data minimization, state hygiene, and kill switch + limits help mitigate some of them.
But,
The silent killer (again) is what happens within those guardrails. Long-term, how will this transition (which overall makes sense) impact the actual outcomes of the agent and its ability to perform its tasks as expected?
In other words: how will it impact the agent's behavior?
Agents' behavior is already not very stable, and often unpredictable. It can drift (over time or with sudden outliers) due to hallucinations, bugs, or malicious attacks, even when the way to use tools is fixed.
Now, when the way to use the tools itself can change at runtime, that's a nightmare.
Traditional evals inspect text.
Code-mode agents are making control decisions.
You're not just evaluating answers, you're evaluating a system of habits the agent is forming at runtime.
I always love to compare agents to humanity and learn from our own behavior (and mistakes):
As humans, we do this too: our brain evolved over millions of years, but if we tried to do everything only with our brain like thousands of years ago, our opportunities would be quickly capped. So we invented (and still invent) tools (technology) to reduce cognitive load and optimize tasks. Then we (on the fly, as we identify the need) invent new tools, replace old ways to use existing tools, and improve tools. That's perfect. We are evolving as a species. But it also strongly impacts our behavior as individuals and as a society.
No one expected the impact of social networks on society 20 years ago when they started to emerge. No one imagined the societal shifts when the first engines started to run. We shouldn't expect to fully predict how a single agent will evolve as it optimizes its internal workflow and state transitions (and yes, it can make mistakes, legitimate or malicious, in addition to "just evolving").
And how will we monitor that across thousands of agents running in thousands of instances?
To address and mitigate that, while enabling your team to adopt agentic AI, adapt a Behavioral Rail into your SDLC and runtime operations, with clear re-approval security and behavioral gates, and strong mechanisms to monitor behavior and detect drifts and shifts.
What you can do right now
- Baseline the behavior, not just the answer. Profile a "golden" behavior. From now on, diff every run. If the path changes in a new way, flag or stop. Simple, brutal, effective.
- Give state a name and an expiry. Anything the agent writes must state who wrote it, when, why, and when it expires. Unsigned or expired state can't be read without re-approval. This kills the "reused stale cache" drift.
- Set a tiny behavior budget per task. Pre-declare allowed hosts, max files, and 0 package installs by default. If the agent needs more, it asks. New capabilities run in shadow (dry-run) first, then graduate after review.
A short summary of the latest news
Anthropic: stop stuffing every tool into context. Let the agent write a bit of code, call MCP servers, do the joins/filters before the model, and send back only what matters (that's how they got ~150k → ~2k in their example).
Cloudflare: "Code Mode" runs in a tight sandbox, no general internet, only explicit bindings to tools. Keys stay out of the model.
Amazon Web Services (AWS): "Real infra" for this pattern, managed interpreters with IAM + audit + private networking.
Claude: "Skills" = reusable know-how that loads when needed, plus filesystem + network sandboxing to cut approval spam but keep the blast radius small.
Everyone's moving the work from giant prompts to small programs. Faster, cheaper, and behavior now lives in the glue code.
Originally published on LinkedIn
View original article