1 post
A tool that sends email was annotated read-only. That annotation decides whether your MCP client asks for confirmation. It's an advisory hint, not a security boundary — and the gap between those two facts is exploitable.