Tool Calls vs. MCP Calls for AI‑Coding Agents – Which Wins for BigQuery?

For developers building AI agents with Claude or similar models, the choice between traditional **Tool Calls** (executing CLI commands via subprocess)...

Deep Research AI
mcp

Author’s note:

Question: Are AI coding agents better at Tool calls or MCP calls?

Context: As an example, should I have Claude use the bigquery cli or bigquery MCP server?

Executive Summary

For developers building AI agents with Claude or similar models, the choice between traditional Tool Calls (executing CLI commands via subprocess) and the Model Context Protocol (MCP) represents a trade-off between simplicity and security.

  • Security: MCP is the superior choice for production. It eliminates command-injection risks inherent in shell execution and enforces OAuth-based authentication 1 2.
  • Observability: MCP provides structured logging and real-time “list_changed” notifications, allowing agents to adapt dynamically to tool updates 3 4.
  • Performance: CLI calls are generally faster for single-shot tasks as they avoid the JSON-RPC handshake overhead, but they lack the persistent state management of MCP 3.
  • Recommendation: Use MCP for enterprise-grade agents requiring security, auditability, and complex tool chaining. Reserve CLI tool calls for local, single-user prototyping where latency is the only KPI.

1. Introduction: The Integration Dilemma

As AI agents evolve from chat bots to functional coding assistants, they require access to external data systems like Google BigQuery. The integration method defines the agent’s security posture, reliability, and capability.

Two primary architectures have emerged:

  1. Direct Tool Calls (CLI): The agent constructs a command string (e.g., bq query...) which the host executes via a shell subprocess.
  2. MCP Calls: The agent interacts with a standardized Model Context Protocol server that abstracts the underlying API, handling authentication and transport via JSON-RPC 3.

This report analyzes these approaches using BigQuery as the primary case study.

2. Core Definitions and Architecture

Tool Calls (The CLI Approach)

In a traditional tool call, the LLM functions as a command-line operator. It generates a string intended for a terminal.

  • Mechanism: The host script uses a library like Python’s subprocess to spawn a new process.
  • Authentication: Relies on the local environment’s active credentials (e.g., gcloud auth application-default login) 5.
  • Data Exchange: Unstructured text streams (stdout/stderr) which must be parsed back into a format the LLM understands.

MCP Calls (The Protocol Approach)

MCP is an open standard that connects AI assistants to systems through a client-server model.

  • Mechanism: The AI application (MCP Client) connects to an MCP Server (local or remote). They communicate via JSON-RPC 2.0 messages over stdio or HTTP/SSE 3.
  • Primitives: The server exposes three core primitives: Tools (executable functions), Resources (data context), and Prompts (templates) 3.
  • Abstraction: The agent does not need to know how to execute the query (e.g., flags, binary paths); it simply calls a typed function like bigquery.execute_sql 6.

3. Security and Trust

Security is the sharpest differentiator between the two approaches.

The Risk of CLI: Command Injection

Using CLI tools often requires invoking a shell. This introduces Command Injection vulnerabilities, rated as a critical risk by OWASP 7.

  • The Attack Vector: If an agent generates a command like bq query "SELECT * FROM table; rm -rf /", and the host executes it with shell=True, the system is compromised 8.
  • Vulnerability: Python’s subprocess module is safe only if used with explicit argument lists (e.g., ['bq', 'query']). However, developers often default to shell=True for convenience, which propagates shell variables and allows command chaining 9.
  • Mitigation Difficulty: Securing CLI calls requires rigorous input sanitization and allowlisting, which is difficult to maintain 7.

The MCP Advantage: Protocol-Level Safety

MCP mitigates these risks by design:

  • No Shell Access: MCP tools are defined as structured functions. Arguments are passed as JSON objects, not concatenated strings, eliminating shell injection vectors 3.
  • Authentication: Remote MCP servers support OAuth 2.0. This allows for fine-grained access control, ensuring the agent operates with the principle of least privilege rather than inheriting the full permissions of the host user 1 2.
  • Centralized Control: Enterprises can deploy a centralized MCP proxy to enforce security policies, scan for sensitive data (DLP), and validate prompts before they reach the tool 10.

4. Observability and Reliability

FeatureCLI (Tool Call)MCP Call
LoggingUnstructured text (stdout). Requires manual parsing or --apilog flags 5.Structured JSON-RPC logs. Centralized audit logging available via proxies 10.
Error HandlingRelies on exit codes and parsing error text from stderr.Returns standardized JSON-RPC error objects (codes and messages) 3.
UpdatesStatic. New features require updating the binary.Dynamic. Servers send list_changed notifications to push updates to clients instantly 3 4.
StateStateless. Each call is a new process.Stateful connections. Supports sampling and progress tracking 3.

Key Insight: MCP’s list_changed notification allows an agent to “learn” about new tables or query capabilities without a restart, a feature impossible with standard CLI binaries 4.

5. Developer Experience and Ecosystem

Integration Complexity

  • CLI: Requires manual wrapper code. Developers must handle process spawning, output capturing, and error parsing. For BigQuery, this includes managing flags like --format=json to get usable data 5.
  • MCP: Claude’s SDK and tools like Claude Desktop have built-in support. Configuration is often as simple as adding an entry to a claude_desktop_config.json or .mcp.json file 11 12.

Tool Discovery

  • CLI: The agent must be “taught” the CLI syntax via system prompts or documentation injection.
  • MCP: The protocol includes a tools/list capability. The MCP server self-documents its capabilities, providing the LLM with a structured schema of available tools and their arguments automatically 3.

Ecosystem Support

Google has released an official BigQuery MCP server (part of the MCP Toolbox), which allows LLMs to inspect schemas and run queries out of the box 13 14. This pre-built integration significantly reduces the “glue code” developers need to write compared to wrapping the bq CLI.

6. Real-World Examples

Option A: Claude using bq CLI (Python Subprocess)

Risk: High (Injection)

import subprocess


# DANGEROUS: Vulnerable to injection if sql_query contains "; rm -rf /"
def run_query_cli(sql_query):
 command = f"bq query --nouse_legacy_sql --format=json '{sql_query}'"
 result = subprocess.run(command, shell=True, capture_output=True, text=True)
 return result.stdout

Option B: Claude using BigQuery MCP

Risk: Low (Structured)

//.mcp.json configuration
{
 "mcpServers": {
 "bigquery": {
 "command": "uvx",
 "args": ["mcp-server-bigquery", "--project", "my-project"]
 }
 }
}

Note: The agent simply calls the tool bigquery.query exposed by the server. The MCP SDK handles the transport.

7. Decision Matrix

ScenarioRecommended ApproachWhy?
Enterprise ProductionMCPRequires OAuth, audit logs, and protection against injection attacks 10.
Local PrototypingCLIFaster setup for single users; no server configuration required.
Complex WorkflowsMCP”Resources” primitive allows agents to read schemas/context directly 3.
High Latency SensitivityCLIAvoids HTTP/RPC round-trip overhead (though local MCP over stdio is comparable).

Bottom Line

For AI coding agents, MCP calls are better than Tool calls for any application moving beyond a proof-of-concept.

While the bq CLI is a powerful utility for humans, it is a fragile and insecure interface for LLMs. MCP provides the type safety, security boundaries, and dynamic discovery that autonomous agents require to operate reliably.

Action Plan:

  1. Adopt MCP for all agent-tool integrations to future-proof your architecture.
  2. Use the official BigQuery MCP server provided by Google/Community rather than writing custom CLI wrappers 13 6.
  3. Configure Centralized Security if deploying remote agents, utilizing MCP proxies to enforce authentication 10.

References

Footnotes

  1. Architecture overview - Model Context Protocol 2

  2. Model Context Protocol (MCP): Understanding security risks and controls 2

  3. Introducing the Model Context Protocol 2 3 4 5 6 7 8 9 10 11

  4. Code execution with MCP: building more efficient AI agents 2 3

  5. Connect LLMs to BigQuery with MCP | Google Cloud Documentation 2 3

  6. Using the fully managed remote BigQuery MCP server to build data AI agents | Google Cloud Blog 2

  7. GitHub - LucasHild/mcp-server-bigquery: A Model Context Protocol server that provides access to BigQuery 2

  8. Use the BigQuery remote MCP server | Google Cloud Documentation

  9. A Deep Dive into Takuya’s MCP Server

  10. bq command-line tool reference | BigQuery | Google Cloud Documentation 2 3 4

  11. Use the bq tool | BigQuery | Google Cloud Documentation

  12. BigQuery overview | Google Cloud Documentation

  13. Explorar a ferramenta de linha de comando bq - Google Cloud 2

  14. Function calling | OpenAI API

Other Ideas