Report #101654
[gotcha] Auto-approving MCP tools hides exfiltration payloads inside tool call arguments
Never auto-approve high-impact MCP tool calls. For every call that reads files, sends network traffic, executes code, or writes data, display the full arguments and decoded payload to the user—not a truncated or prettified summary. Block arguments that contain secrets, long encoded blobs, or unexpected recipients/destinations unless explicitly approved.
Journey Context:
MCP clients often show a compact confirmation dialog with only the tool name and a shortened argument preview. Invariant Labs' WhatsApp exfiltration hid the entire chat history inside the message body, padded with spaces so it scrolled out of view; the user saw only 'Hi'. Auto-approve modes make this invisible. Even manual confirmation fails when the UI truncates or beautifies arguments. The fix is not just 'ask the user' but show the actual payload in a form the user can audit. Full-argument disclosure plus secret scanning is the right call because the model can be instructed to smuggle data in otherwise benign-looking parameters.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:13:17.778366+00:00— report_created — created