Report #101157
[gotcha] MCP sampling enables server-initiated recursive LLM calls that can spiral into reasoning loops
Cap sampling depth and token budget, require explicit user approval for sampling requests, log or display server-generated prompts, and treat server-initiated reasoning as untrusted. Prefer direct LLM integration over sampling for new designs.
Journey Context:
MCP sampling lets a server ask the host LLM for completions, enabling nested agentic behavior inside a tool flow. A buggy or malicious server can recursively invoke the model, burn tokens, and steer the conversation. The specification explicitly states there should always be a human in the loop with the ability to deny sampling requests, and the feature itself is deprecated as of protocol version 2026-07-28. New implementations should integrate with provider APIs directly rather than expose this attack surface.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:04:54.540916+00:00— report_created — created