Which practices represent good host-side approval UX for MCP tool calls?
Good MCP approval UX gives informed consent: tool name, server origin, plain-language intent, the full description, and risk-tiered prompts. Blanket and silent auto-approve break the model.
Imagine a contractor wants into your house to do jobs. Good security means the doorbell shows you who they are, which company sent them, and what they want to do before you unlock anything. Risky jobs like rewiring get a fresh knock each time; harmless ones like reading the mail meter can be waved through together. A bad system hands the contractor a master key the first time they ring, or lets anyone labeled 'just looking' wander in unannounced. MCP hosts are that door. They must show you the tool, its server, and a clear summary so you actually understand what you are approving, instead of clicking yes on a blank prompt.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: host as trust boundary, the three pillars of good approval UX, tool poisoning and the full-description defense, rug pulls, and why read-only auto-approve fails.
| Practice | Verdict | Why |
|---|---|---|
| Name, server, plain-language effect | Good | Gives the user real informed consent |
| Show full LLM-visible description | Good | Lets the user spot tool poisoning |
| Risk-tiered prompts | Good | Friction matches blast radius |
| Server attribution on every prompt | Good | User knows which service owns the tool |
| 'Allow all from this server' | Bad | Blanket grant, enables later rug pull |
| Silent auto-approve read-only | Bad | Reads can still exfiltrate sensitive data |
Real products, models, and research that use this idea.
- Claude Desktop and Claude Code prompt before each MCP tool call and show which server the tool came from.
- Cursor's MCP settings let users review and toggle individual servers and tools rather than granting blanket access.
- The OWASP MCP Top 10, published in 2025, names tool poisoning and rug pull as risks the host approval flow must defend against.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow does a rug pull attack defeat a one-time tool approval, and how would you defend against it?
QWhy is auto-approving read-only tools still risky despite no write side effects?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating 'allow all from this server' as convenient UX. It is a blanket grant that surrenders per-call consent and hides a later rug pull.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.