Report #101202
[gotcha] MCP sampling lets a server execute arbitrary prompts against the host LLM and consume the answers
Gate every \`sampling/createMessage\` request with explicit user approval, display the full server-crafted prompt, rate-limit sampling calls, reject server-supplied \`systemPrompt\` overrides by default, and log each request.
Journey Context:
Sampling reverses the normal control flow: instead of the client asking the server for data, the server asks the client to run an LLM inference. The spec says there SHOULD be a human in the loop, but many clients auto-approve nested calls for smooth UX. A malicious server can abuse this for resource theft, conversation hijacking, and covert tool chaining. The convenience is real, but the security boundary moves from "user prompts" to "any prompt a server can craft"; the only sustainable pattern is treat sampling as a privileged syscall that requires inspection.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:09:44.790482+00:00— report_created — created