| ▲ | alias_neo 4 days ago | |||||||
I'm completely new to this, and know nothing about MCP, but why is it that when it fetches that stuff it isn't just "content"? We make code and other things benign all of the time when we embed it in pages or we use special characters in passwords etc, is there something about the _purpose_ of MCP that makes this a risk? | ||||||||
| ▲ | structural 4 days ago | parent [-] | |||||||
A good simplification of what's going on is this little loop: 1. LLM runs using the system prompt + your input as context. 2. Initial output looks like "I need more information, I need to run <tool>" 3. Piece of code runs that looks for tool tags and performs the API calls via MCP. 4. Output of the tool call gets appended as additional context just as if you'd typed it yourself as part of your initial request. 5. Go back to step 1, run the LLM again. So you can see here that there is no difference between "content" and "prompt". It's all equivalent input to the LLM, which is calling itself in a loop with input that it generated/fetched for itself. A lot of safety here happens at step #3, trying to look at the LLM's output and go "should I actually perform the tool call the LLM asked for?". In some cases, this is just spitting the tool call at the user and asking them to click Approve/Deny... and after a hundred times the user just blindly presses Approve on everything, including the tool call called "bash(sudo rm -rf /)". Pwned. | ||||||||
| ||||||||