What a terrible idea this ui protocol is. MCP is already pretty much “prompt injection as a service “. This creates a little-known side channel to make it easier to slip an exploit under people’s radar.
I get where you’re coming from, but there are some security practices in place. The host client renders views inside a strictly sandboxed `<iframe>`. Any action the UI wants to take must pass an auditable message back to the host application, which triggers an explicit user-permission prompt.