[MadnessASAP]

The threat model doesn't really change for agents that already have "web fetch" (or equivalent) enabled. The agent is free to communicate with untrusted websites[1]. As before, the firewall remains at what private information the agent is allowed to have.

[1] If anything the threat gets somewhat reduced by the ability to point directly at a trusted domain and say "use this site and it's (presumably) trusted tools."

[yuvrajangads]

Fair point about web fetch already being a trust boundary. The difference I see is that web fetch returns data, but WebMCP tools can define actions. A tool called "add_to_cart" is a lot more dangerous than fetching a product page. The agent trusts the tool's name and description to decide whether to call it, and that metadata comes from the site.

But yeah, if you're already letting agents browse freely, the incremental risk might be smaller than I'm imagining.