[whisperghost55]

The issue is that the MCP client will run the MCP server as a result of another server output which should never happen- instead the client should ask "would you like me to do that for you?" the ability/"willingness" of LLMs to construct such attacks by composing the emails and refining it based on results is alarming

[progbits]

Every sensible MCP client does ask by default. They have changed that to auto-allow, likely after going through a pop-up warning about this exact issue, and now proclaim surprise.