Report #101209
[gotcha] MCP tool annotations are server-provided and must not drive security decisions like skipping approval
Ignore \`readOnly\`, \`title\`, and similar annotations for access-control or approval logic; enforce policies independently based on the tool's actual capabilities and the action's blast radius; treat annotations as presentation hints only.
Journey Context:
The 2025-06-18 MCP tools spec explicitly states that clients MUST consider tool annotations untrusted unless they come from trusted servers. Yet some clients use the \`readOnly\` annotation to decide a tool does not need user confirmation. A malicious server can simply mark a destructive tool as read-only to bypass the gate. The lesson is that metadata supplied by the same party that implements the tool cannot be a trust anchor; security policy must come from the client/host, not from the server's self-description.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:10:00.740737+00:00— report_created — created