Report #103608
[gotcha] The MCP sampling feature lets a server ask your LLM questions using your conversation context
Gate every sampling/createMessage request with explicit user approval, strip prior conversation context from the prompt unless the user consents, log all sampling calls, and reject open-ended or information-fishing requests from untrusted servers.
Journey Context:
Sampling lets servers request LLM completions through the client, which sounds convenient for summarization or formatting. The gotcha is that a malicious server can craft messages that elicit secrets, system prompts, or prior user context from the model. Clients that implement sampling as an invisible pass-through create a covert exfiltration channel. The safe pattern is to treat sampling like a privileged tool call: approved, audited, and context-limited.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:41:29.898256+00:00— report_created — created