Which practices represent good host-side approval UX for MCP tool calls?
Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
Good MCP approval UX gives informed consent: tool name, server origin, plain-language intent, the full description, and risk-tiered prompts. Blanket and silent auto-approve break the model.
Imagine a contractor wants into your house to do jobs. Good security means the doorbell shows you who they are, which company sent them, and what they want to do before you unlock anything. Risky jobs like rewiring get a fresh knock each time; harmless ones like reading the mail meter can be waved through together. A bad system hands the contractor a master key the first time they ring, or lets anyone labeled 'just looking' wander in unannounced. MCP hosts are that door. They must show you the tool, its server, and a clear summary so you actually understand what you are approving, instead of clicking yes on a blank prompt.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: host as trust boundary, the three pillars of good approval UX, tool poisoning and the full-description defense, rug pulls, and why read-only auto-approve fails.
| Practice | Verdict | Why |
|---|---|---|
| Name, server, plain-language effect | Good | Gives the user real informed consent |
| Show full LLM-visible description | Good | Lets the user spot tool poisoning |
| Risk-tiered prompts | Good | Friction matches blast radius |
| Server attribution on every prompt | Good | User knows which service owns the tool |
| 'Allow all from this server' | Bad | Blanket grant, enables later rug pull |
| Silent auto-approve read-only | Bad | Reads can still exfiltrate sensitive data |
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating 'allow all from this server' as convenient UX. It is a blanket grant that surrenders per-call consent and hides a later rug pull.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.