github · python-sdkf4753440dac8

Evidence

# Try both npx.cmd and npx.exe on Windows

        for cmd in ["npx.cmd", "npx.exe", "npx"]:

            try:

                subprocess.run([cmd, "--version"], check=True, capture_output=True, shell=True)

                return cmd

            except subprocess.CalledProcessError:

                continue

RemediationAI

The problem is that `subprocess.run()` is called with `shell=True` and a hardcoded command list, which while not directly vulnerable here, sets a dangerous pattern. The concrete fix is to remove `shell=True` from the `subprocess.run()` call — change `subprocess.run([cmd, "--version"], check=True, capture_output=True, shell=True)` to `subprocess.run([cmd, "--version"], check=True, capture_output=True)` since the command list is already safe. This eliminates shell injection by ensuring the subprocess module treats arguments as literal values rather than shell syntax. Verify by running the function and confirming it still detects npx correctly without shell interpretation.

Evidence

"""MCP unified conformance test client.

This client is designed to work with the @modelcontextprotocol/conformance npm package.

It handles all conformance test scenarios via environment variables and CLI arguments.

Contract:

    - MCP_CONFORMANCE_SCENARIO env var -> scenario name

    - MCP_CONFORMANCE_CONTEXT env var -> optional JSON (for client-credentials scenarios)

    - Server URL as last CLI argument (sys.argv[1])

    - Must exit 0 within 30 seconds

Scenarios:

    initialize             

RemediationAI

The problem is that the HANDLERS dictionary allows runtime re-registration of tool behavior through environment variables and scenario names, enabling a malicious actor to silently redefine handler logic at runtime. The concrete fix is to make the HANDLERS dictionary immutable after initialization — wrap it with `types.MappingProxyType(HANDLERS)` or use a frozen dataclass instead of a mutable dict, and validate all scenario names against a hardcoded allowlist before lookup. This prevents unauthorized redefinition of handler behavior at runtime. Verify by attempting to modify HANDLERS after initialization and confirming the operation raises an error or has no effect.

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Replace this README with README.v2.md when v2 is released -->

> [!NOTE]

> **This README documents v1.x of the MCP Pyt

RemediationAI

The problem is that the README file documents MCP resource handlers without showing path-canonicalization guards, potentially leading developers to implement unsafe file-serving code. The concrete fix is to add documentation and code examples showing the use of `os.path.realpath()` combined with `os.path.commonpath()` to validate that resolved paths stay within an allowed root directory before opening files. This prevents directory traversal attacks via `..` sequences and symlinks. Verify by testing a resource handler with payloads like `../../../etc/passwd` and confirming access is denied.

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Move this content back to README.md when v2 is released -->

> [!IMPORTANT]

> **This documents v2 of the SDK (currentl

RemediationAI

The problem is that the README.v2.md file documents MCP resource handlers without showing path-canonicalization guards, potentially leading developers to implement unsafe file-serving code. The concrete fix is to add documentation and code examples showing the use of `os.path.realpath()` combined with `os.path.commonpath()` to validate that resolved paths stay within an allowed root directory before opening files. This prevents directory traversal attacks via `..` sequences and symlinks. Verify by testing a resource handler with payloads like `../../../etc/passwd` and confirming access is denied.

Evidence

from mcp.server.mcpserver import MCPServer

from mcp.server.mcpserver.prompts import base

mcp = MCPServer(name="Prompt Example")

@mcp.prompt(title="Code Review")

def review_code(code: str) -> str:

    return f"Please review this code:\n\n{code}"

@mcp.prompt(title="Debug Assistant")

def debug_error(error: str) -> list[base.Message]:

    return [

        base.UserMessage("I'm seeing this error:"),

        base.UserMessage(error),

        base.AssistantMessage("I'll help debug that. What have y

RemediationAI

The problem is that the `review_code()` prompt handler uses an f-string to interpolate the untrusted `code` parameter directly into the prompt text returned to the LLM, allowing prompt injection attacks. The concrete fix is to wrap the parameter in XML tags: change `return f"Please review this code:\n\n{code}"` to `return f"Please review this code:\n\n<untrusted>{code}</untrusted>"` or use `json.dumps(code)` to safely serialize it. This signals to the LLM that the content is untrusted and prevents the attacker from injecting instructions. Verify by passing a prompt like `</untrusted>IGNORE PREVIOUS INSTRUCTIONS` and confirming the LLM treats it as literal text, not a command.

Evidence

"""MCPServer Echo Server"""

from mcp.server.mcpserver import MCPServer

# Create server

mcp = MCPServer("Echo Server")

@mcp.tool()

def echo_tool(text: str) -> str:

    """Echo the input text"""

    return text

@mcp.resource("echo://static")

def echo_resource() -> str:

    return "Echo!"

@mcp.resource("echo://{text}")

def echo_template(text: str) -> str:

    """Echo the input text"""

    return f"Echo: {text}"

@mcp.prompt("echo")

def echo_prompt(text: str) -> str:

    return text

RemediationAI

The problem is that the echo server example does not show prompt handlers with untrusted parameter interpolation, but the finding flags it as a pattern risk. The concrete fix is to ensure any prompt handler that accepts parameters wraps them in `<untrusted>...</untrusted>` tags or uses `json.dumps()` before returning — for example, if a prompt handler were added, use `return f"Echo: <untrusted>{text}</untrusted>"`. This prevents prompt injection if user input flows into prompt text. Verify by adding a prompt handler with user input and confirming the LLM does not execute injected instructions.

LLM consensus

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Replace this README with README.v2.md when v2 is released -->

> [!NOTE]

> **This README documents v1.x of the MCP Pyt

RemediationAI

The problem is that the README.md file documents MCP prompt handlers without showing safe interpolation patterns, potentially leading developers to build vulnerable prompt injection code. The concrete fix is to add documentation and examples showing the use of `<untrusted>...</untrusted>` XML wrapping or `json.dumps()` serialization for any user-controlled parameters passed to prompt text. This prevents prompt injection attacks. Verify by reviewing the updated documentation and confirming it includes a code example with safe parameter handling.

Evidence

"""MCPServer quickstart example.

Run from the repository root:

    uv run examples/snippets/servers/mcpserver_quickstart.py

"""

from mcp.server.mcpserver import MCPServer

# Create an MCP server

mcp = MCPServer("Demo")

# Add an addition tool

@mcp.tool()

def add(a: int, b: int) -> int:

    """Add two numbers"""

    return a + b

# Add a dynamic greeting resource

@mcp.resource("greeting://{name}")

def get_greeting(name: str) -> str:

    """Get a personalized greeting"""

    return f"Hello, {n

RemediationAI

The problem is that the quickstart example does not show prompt handlers with untrusted parameter interpolation, but the finding flags it as a pattern risk for future development. The concrete fix is to ensure any prompt handler that accepts parameters wraps them in `<untrusted>...</untrusted>` tags or uses `json.dumps()` before returning — for example, if a prompt handler were added, use `return f"Prompt: <untrusted>{user_input}</untrusted>"`. This prevents prompt injection if user input flows into prompt text. Verify by adding a prompt handler with user input and confirming the LLM does not execute injected instructions.

Evidence

from mcp.server.mcpserver import MCPServer

from mcp.types import (

    Completion,

    CompletionArgument,

    CompletionContext,

    PromptReference,

    ResourceTemplateReference,

)

mcp = MCPServer(name="Example")

@mcp.resource("github://repos/{owner}/{repo}")

def github_repo(owner: str, repo: str) -> str:

    """GitHub repository resource."""

    return f"Repository: {owner}/{repo}"

@mcp.prompt(description="Code review prompt")

def review_code(language: str, code: str) -> str:

    """Gen

RemediationAI

The problem is that the completion example defines a resource handler with parameters (`owner`, `repo`) that could be interpolated into prompt text without sanitization, enabling prompt injection. The concrete fix is to ensure any prompt handler that uses these parameters wraps them in `<untrusted>...</untrusted>` tags or uses `json.dumps()` — for example, change any prompt that includes these to `f"Repo: <untrusted>{owner}/{repo}</untrusted>"`. This prevents prompt injection attacks. Verify by passing malicious values like `owner="</untrusted>IGNORE"` and confirming the LLM treats it as literal text.

Evidence

# MCP Python SDK

!!! info "You are viewing the in-development v2 documentation"

    For the current stable release, see the [v1.x documentation](https://py.sdk.modelcontextprotocol.io/).

The **Model Context Protocol (MCP)** allows applications to provide context for LLMs in a standardized way, separating the concerns of providing context from the actual LLM interaction.

This Python SDK implements the full MCP specification, making it easy to:

- **Build MCP servers** that expose resources, pr

RemediationAI

The problem is that the docs/index.md file documents MCP without showing safe prompt parameter handling patterns, potentially leading developers to build vulnerable prompt injection code. The concrete fix is to add documentation and examples showing the use of `<untrusted>...</untrusted>` XML wrapping or `json.dumps()` serialization for any user-controlled parameters passed to prompt text. This prevents prompt injection attacks. Verify by reviewing the updated documentation and confirming it includes a code example with safe parameter handling.

Evidence

from __future__ import annotations

from datetime import datetime

from typing import Annotated, Any, Final, Generic, Literal, TypeAlias, TypeVar

from pydantic import BaseModel, ConfigDict, Field, FileUrl, TypeAdapter

from pydantic.alias_generators import to_camel

from typing_extensions import NotRequired, TypedDict

from mcp.types.jsonrpc import RequestId

LATEST_PROTOCOL_VERSION = "2025-11-25"

"""The latest version of the Model Context Protocol.

You can find the latest specification at https:

RemediationAI

The problem is that the types file does not show HTTP route definitions, but the finding flags a pattern risk where `tools/list` routes lack authentication. The concrete fix is to add authentication middleware to any HTTP route that handles MCP requests — for FastAPI, use `Depends(verify_jwt)` or `Depends(get_current_user)` on the route; for Flask, use `@login_required` or a custom auth decorator. This prevents anonymous enumeration of tools. Verify by making an unauthenticated request to the route and confirming it returns a 401 or 403 error.

Evidence

"""MCP Server Module

This module provides a framework for creating an MCP (Model Context Protocol) server.

It allows you to easily define and handle various types of requests and notifications

using constructor-based handler registration.

Usage:

1. Define handler functions:

   async def my_list_tools(ctx, params):

       return types.ListToolsResult(tools=[...])

   async def my_call_tool(ctx, params):

       return types.CallToolResult(content=[...])

2. Create a Server instance with on_* han

RemediationAI

The problem is that the server module documentation does not show HTTP route definitions with authentication, potentially leading developers to expose `tools/list` without auth. The concrete fix is to add authentication middleware to any HTTP route that handles MCP requests — for FastAPI, use `Depends(verify_jwt)` or `Depends(get_current_user)` on the route; for Flask, use `@login_required` or a custom auth decorator. This prevents anonymous enumeration of tools. Verify by making an unauthenticated request to the route and confirming it returns a 401 or 403 error.

Evidence

"""Run from the repository root:

uv run examples/snippets/servers/streamable_config.py

"""

from mcp.server.mcpserver import MCPServer

mcp = MCPServer("StatelessServer")

# Add a simple tool to demonstrate the server

@mcp.tool()

def greet(name: str = "World") -> str:

    """Greet someone by name."""

    return f"Hello, {name}!"

# Run server with streamable_http transport

# Transport-specific options (stateless_http, json_response) are passed to run()

if __name__ == "__main__":

    # Stateles

RemediationAI

The problem is that the streamable_config example binds an HTTP server without enforcing authentication, making it vulnerable to DNS-rebinding attacks where a malicious web page invokes tools as the user. The concrete fix is to either (1) switch to stdio transport by changing `mcp.run(transport="http")` to `mcp.run(transport="stdio")`, or (2) add an `Authorization` header check to every request via middleware. This eliminates the network attack surface or requires proof of authorization. Verify by attempting to call a tool from a different origin and confirming it is blocked or requires a valid token.

Evidence

"""MCPServer quickstart example.

Run from the repository root:

    uv run examples/snippets/servers/mcpserver_quickstart.py

"""

from mcp.server.mcpserver import MCPServer

# Create an MCP server

mcp = MCPServer("Demo")

# Add an addition tool

@mcp.tool()

def add(a: int, b: int) -> int:

    """Add two numbers"""

    return a + b

# Add a dynamic greeting resource

@mcp.resource("greeting://{name}")

def get_greeting(name: str) -> str:

    """Get a personalized greeting"""

    return f"Hello, {n

RemediationAI

The problem is that the quickstart example binds an HTTP server without enforcing authentication, making it vulnerable to DNS-rebinding attacks where a malicious web page invokes tools as the user. The concrete fix is to either (1) switch to stdio transport by changing `mcp.run(transport="http")` to `mcp.run(transport="stdio")`, or (2) add an `Authorization` header check to every request via middleware. This eliminates the network attack surface or requires proof of authorization. Verify by attempting to call a tool from a different origin and confirming it is blocked or requires a valid token.

Evidence

#!/usr/bin/env python3

"""MCP Everything Server - Conformance Test Server

Server implementing all MCP features for conformance testing based on Conformance Server Specification.

"""

import asyncio

import base64

import json

import logging

import click

from mcp.server import ServerRequestContext

from mcp.server.mcpserver import Context, MCPServer

from mcp.server.mcpserver.prompts.base import UserMessage

from mcp.server.streamable_http import EventCallback, EventMessage, EventStore

from mcp.type

RemediationAI

The problem is that the everything-server example binds an HTTP server without enforcing authentication, making it vulnerable to DNS-rebinding attacks where a malicious web page invokes tools as the user. The concrete fix is to either (1) switch to stdio transport by changing `mcp.run(transport="http")` to `mcp.run(transport="stdio")`, or (2) add an `Authorization` header check to every request via middleware. This eliminates the network attack surface or requires proof of authorization. Verify by attempting to call a tool from a different origin and confirming it is blocked or requires a valid token.

Evidence

"""Run from the repository root:

uv run examples/snippets/servers/oauth_server.py

"""

from pydantic import AnyHttpUrl

from mcp.server.auth.provider import AccessToken, TokenVerifier

from mcp.server.auth.settings import AuthSettings

from mcp.server.mcpserver import MCPServer

class SimpleTokenVerifier(TokenVerifier):

    """Simple token verifier for demonstration."""

    async def verify_token(self, token: str) -> AccessToken | None:

        pass  # This is where you would implement actual to

RemediationAI

The problem is that the oauth_server example binds an HTTP server to localhost without validating the `Host` header, allowing DNS-rebinding attacks to bypass same-origin checks even with authentication. The concrete fix is to add Host header validation middleware that checks `req.headers.host` against an allowlist of expected hostnames (e.g., `localhost`, `127.0.0.1`) — for FastAPI, create a middleware that raises a 400 error if the Host header is not in the allowlist. This prevents DNS-rebinding attacks. Verify by making a request with a spoofed Host header and confirming it is rejected.

LLM consensus

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Move this content back to README.md when v2 is released -->

> [!IMPORTANT]

> **This documents v2 of the SDK (currentl

RemediationAI

The problem is that the README.v2.md file documents MCP servers without showing Host header validation patterns, potentially leading developers to build servers vulnerable to DNS-rebinding attacks. The concrete fix is to add documentation and examples showing Host header validation middleware that checks `req.headers.host` against an allowlist of expected hostnames. This prevents DNS-rebinding attacks. Verify by reviewing the updated documentation and confirming it includes a code example with Host header validation.

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Replace this README with README.v2.md when v2 is released -->

> [!NOTE]

> **This README documents v1.x of the MCP Pyt

RemediationAI

The problem is that the README.md file documents MCP servers without showing Host header validation patterns, potentially leading developers to build servers vulnerable to DNS-rebinding attacks. The concrete fix is to add documentation and examples showing Host header validation middleware that checks `req.headers.host` against an allowlist of expected hostnames. This prevents DNS-rebinding attacks. Verify by reviewing the updated documentation and confirming it includes a code example with Host header validation.

Evidence

"""MCPServer quickstart example.

Run from the repository root:

    uv run examples/snippets/servers/mcpserver_quickstart.py

"""

from mcp.server.mcpserver import MCPServer

# Create an MCP server

mcp = MCPServer("Demo")

# Add an addition tool

@mcp.tool()

def add(a: int, b: int) -> int:

    """Add two numbers"""

    return a + b

# Add a dynamic greeting resource

@mcp.resource("greeting://{name}")

def get_greeting(name: str) -> str:

    """Get a personalized greeting"""

    return f"Hello, {n

RemediationAI

The problem is that the quickstart example binds an HTTP server to localhost without validating the `Host` header, allowing DNS-rebinding attacks to bypass same-origin checks even with authentication. The concrete fix is to add Host header validation middleware that checks `req.headers.host` against an allowlist of expected hostnames (e.g., `localhost`, `127.0.0.1`) — for FastAPI, create a middleware that raises a 400 error if the Host header is not in the allowlist. This prevents DNS-rebinding attacks. Verify by making a request with a spoofed Host header and confirming it is rejected.

Evidence

"""Run from the repository root:

uv run examples/snippets/servers/streamable_config.py

"""

from mcp.server.mcpserver import MCPServer

mcp = MCPServer("StatelessServer")

# Add a simple tool to demonstrate the server

@mcp.tool()

def greet(name: str = "World") -> str:

    """Greet someone by name."""

    return f"Hello, {name}!"

# Run server with streamable_http transport

# Transport-specific options (stateless_http, json_response) are passed to run()

if __name__ == "__main__":

    # Stateles

RemediationAI

The problem is that the streamable_config example binds an HTTP server to localhost without validating the `Host` header, allowing DNS-rebinding attacks to bypass same-origin checks even with authentication. The concrete fix is to add Host header validation middleware that checks `req.headers.host` against an allowlist of expected hostnames (e.g., `localhost`, `127.0.0.1`) — for FastAPI, create a middleware that raises a 400 error if the Host header is not in the allowlist. This prevents DNS-rebinding attacks. Verify by making a request with a spoofed Host header and confirming it is rejected.

Evidence

#!/usr/bin/env python3

"""MCP Everything Server - Conformance Test Server

Server implementing all MCP features for conformance testing based on Conformance Server Specification.

"""

import asyncio

import base64

import json

import logging

import click

from mcp.server import ServerRequestContext

from mcp.server.mcpserver import Context, MCPServer

from mcp.server.mcpserver.prompts.base import UserMessage

from mcp.server.streamable_http import EventCallback, EventMessage, EventStore

from mcp.type

RemediationAI

The problem is that the everything-server example binds an HTTP server to localhost without validating the `Host` header, allowing DNS-rebinding attacks to bypass same-origin checks even with authentication. The concrete fix is to add Host header validation middleware that checks `req.headers.host` against an allowlist of expected hostnames (e.g., `localhost`, `127.0.0.1`) — for FastAPI, create a middleware that raises a 400 error if the Host header is not in the allowlist. This prevents DNS-rebinding attacks. Verify by making a request with a spoofed Host header and confirming it is rejected.

Evidence

# Migration Guide: v1 to v2

This guide covers the breaking changes introduced in v2 of the MCP Python SDK and how to update your code.

## Overview

Version 2 of the MCP Python SDK introduces several breaking changes to improve the API, align with the MCP specification, and provide better type safety.

## Breaking Changes

### `streamablehttp_client` removed

The deprecated `streamablehttp_client` function has been removed. Use `streamable_http_client` instead.

**Before (v1):**

```python

from

RemediationAI

The problem is that the migration.md file documents MCP servers without showing Host header validation patterns, potentially leading developers to build servers vulnerable to DNS-rebinding attacks. The concrete fix is to add documentation and examples showing Host header validation middleware that checks `req.headers.host` against an allowlist of expected hostnames. This prevents DNS-rebinding attacks. Verify by reviewing the updated documentation and confirming it includes a code example with Host header validation.

Evidence

# MCP Python SDK

!!! info "You are viewing the in-development v2 documentation"

    For the current stable release, see the [v1.x documentation](https://py.sdk.modelcontextprotocol.io/).

The **Model Context Protocol (MCP)** allows applications to provide context for LLMs in a standardized way, separating the concerns of providing context from the actual LLM interaction.

This Python SDK implements the full MCP specification, making it easy to:

- **Build MCP servers** that expose resources, pr

RemediationAI

The problem is that the docs/index.md file documents MCP servers without showing Host header validation patterns, potentially leading developers to build servers vulnerable to DNS-rebinding attacks. The concrete fix is to add documentation and examples showing Host header validation middleware that checks `req.headers.host` against an allowlist of expected hostnames. This prevents DNS-rebinding attacks. Verify by reviewing the updated documentation and confirming it includes a code example with Host header validation.

Evidence

# Or for SSE

mcp = MCPServer("Server")

mcp.run(transport="sse", host="0.0.0.0", port=9000, sse_path="/events")

```

**For mounted apps:**

RemediationAI

The problem is that the migration.md file shows an MCP server binding to `0.0.0.0`, exposing it to all network interfaces when it should only be accessible locally. The concrete fix is to change `host="0.0.0.0"` to `host="127.0.0.1"` in the `mcp.run()` call — for example, change `mcp.run(transport="sse", host="0.0.0.0", port=9000)` to `mcp.run(transport="sse", host="127.0.0.1", port=9000)`. This restricts access to localhost only. Verify by attempting to connect from a remote machine and confirming the connection is refused.

Evidence

mcp.run(transport="streamable-http")

# Or for SSE

mcp = FastMCP("Server", host="0.0.0.0", port=9000, sse_path="/events")

mcp.run(transport="sse")

```

RemediationAI

The problem is that the migration.md file shows an MCP server binding to `0.0.0.0`, exposing it to all network interfaces when it should only be accessible locally. The concrete fix is to change `host="0.0.0.0"` to `host="127.0.0.1"` in the `mcp.run()` call — for example, change `FastMCP("Server", host="0.0.0.0", port=9000)` to `FastMCP("Server", host="127.0.0.1", port=9000)`. This restricts access to localhost only. Verify by attempting to connect from a remote machine and confirming the connection is refused.

Evidence

message = params.message

    if not url:

        print("Error: No URL provided in elicitation request")

        return types.ElicitResult(action="cancel")

    # Reject dangerous URL schemes before prompting the user

RemediationAI

The problem is that user-controlled `params.message` is printed directly to the terminal without ANSI escape sanitization, allowing a malicious server to inject cursor-control sequences that rewrite output or hide commands. The concrete fix is to sanitize the message before printing — use a library like `bleach` or manually strip ANSI escape sequences with a regex like `re.sub(r'\x1b\[[0-9;]*m', '', message)` before the `print()` call. This prevents terminal injection attacks. Verify by passing a message with ANSI codes like `\x1b[2J` and confirming the terminal is not cleared.

Evidence

async def handle_progress(ctx: ServerRequestContext, params: ProgressNotificationParams) -> None:

    print(f"Progress: {params.progress}/{params.total}")

server = Server("my-server", on_progress=handle_progress)

```

RemediationAI

The problem is that `params.progress` and `params.total` are printed directly to the terminal without ANSI escape sanitization, allowing a malicious server to inject cursor-control sequences. The concrete fix is to sanitize the values before printing — use a library like `bleach` or manually strip ANSI escape sequences with a regex like `re.sub(r'\x1b\[[0-9;]*m', '', str(params.progress))` before the `print()` call. This prevents terminal injection attacks. Verify by passing progress values with ANSI codes and confirming the terminal is not affected.

Evidence

async def handle_elicitation(context, params: ElicitRequestParams) -> ElicitResult:

    # Display the message to the user

    print(f"Server asks: {params.message}")

    # Collect user input (this is a simplified example)

    response = input("Your response (y/n): ")

RemediationAI

The problem is that `params.message` is printed directly to the terminal without ANSI escape sanitization, allowing a malicious server to inject cursor-control sequences. The concrete fix is to sanitize the message before printing — use a library like `bleach` or manually strip ANSI escape sequences with a regex like `re.sub(r'\x1b\[[0-9;]*m', '', params.message)` before the `print()` call. This prevents terminal injection attacks. Verify by passing a message with ANSI codes like `\x1b[2J` and confirming the terminal is not cleared.

Evidence

async def handle_sampling_message(

    context: ClientRequestContext, params: types.CreateMessageRequestParams

) -> types.CreateMessageResult:

    print(f"Sampling request: {params.messages}")

    return types.CreateMessageResult(

        role="assistant",

        content=types.TextContent(

RemediationAI

The problem is that `params.messages` is printed directly to the terminal without ANSI escape sanitization, allowing a malicious LLM to inject cursor-control sequences. The concrete fix is to sanitize the messages before printing — use a library like `bleach` or manually strip ANSI escape sequences with a regex like `re.sub(r'\x1b\[[0-9;]*m', '', str(params.messages))` before the `print()` call. This prevents terminal injection attacks. Verify by passing messages with ANSI codes and confirming the terminal is not affected.

Evidence

async def handle_sampling_message(

    context: RequestContext[ClientSession, None], params: types.CreateMessageRequestParams

) -> types.CreateMessageResult:

    print(f"Sampling request: {params.messages}")

    return types.CreateMessageResult(

        role="assistant",

        content=types.TextContent(

RemediationAI

The problem is that `params.messages` is printed directly to the terminal without ANSI escape sanitization, allowing a malicious LLM to inject cursor-control sequences. The concrete fix is to sanitize the messages before printing — use a library like `bleach` or manually strip ANSI escape sequences with a regex like `re.sub(r'\x1b\[[0-9;]*m', '', str(params.messages))` before the `print()` call. This prevents terminal injection attacks. Verify by passing messages with ANSI codes and confirming the terminal is not affected.

Evidence

async def handle_sampling_message(

    context: ClientRequestContext, params: types.CreateMessageRequestParams

) -> types.CreateMessageResult:

    print(f"Sampling request: {params.messages}")

    return types.CreateMessageResult(

        role="assistant",

        content=types.TextContent(

RemediationAI

The problem is that `params.messages` is printed directly to the terminal without ANSI escape sanitization, allowing a malicious LLM to inject cursor-control sequences. The concrete fix is to sanitize the messages before printing — use a library like `bleach` or manually strip ANSI escape sequences with a regex like `re.sub(r'\x1b\[[0-9;]*m', '', str(params.messages))` before the `print()` call. This prevents terminal injection attacks. Verify by passing messages with ANSI codes and confirming the terminal is not affected.

Evidence

async def elicitation_callback(context, params: ElicitRequestParams) -> ElicitResult:

    print(f"\n[Elicitation] {params.message}")

    response = input("Confirm? (y/n): ")

    return ElicitResult(action="accept", content={"confirm": response.lower() == "y"})

RemediationAI

The problem is that `params.message` is printed directly to the terminal without ANSI escape sanitization, allowing a malicious server to inject cursor-control sequences. The concrete fix is to sanitize the message before printing — use a library like `bleach` or manually strip ANSI escape sequences with a regex like `re.sub(r'\x1b\[[0-9;]*m', '', params.message)` before the `print()` call. This prevents terminal injection attacks. Verify by passing a message with ANSI codes like `\x1b[2J` and confirming the terminal is not cleared.

Evidence

def main() -> None:

    """Main entry point for the conformance client."""

    if len(sys.argv) < 2:

        print(f"Usage: {sys.argv[0]} <server-url>", file=sys.stderr)

        sys.exit(1)

    server_url = sys.argv[1]

RemediationAI

The problem is that `sys.argv[1]` (the server URL) is printed directly to stderr without ANSI escape sanitization, allowing a malicious URL to inject cursor-control sequences. The concrete fix is to sanitize the URL before printing — use a library like `bleach` or manually strip ANSI escape sequences with a regex like `re.sub(r'\x1b\[[0-9;]*m', '', server_url)` before the `print()` call. This prevents terminal injection attacks. Verify by passing a URL with ANSI codes and confirming the terminal is not affected.

Evidence

params: ElicitRequestParams,

) -> ElicitResult:

    """Handle elicitation requests from the server."""

    print(f"\n[Elicitation] Server asks: {params.message}")

    # Simple terminal prompt

    response = input("Your response (y/n): ").strip().lower()

RemediationAI

The problem is that `params.message` is printed directly to the terminal without ANSI escape sanitization, allowing a malicious server to inject cursor-control sequences. The concrete fix is to sanitize the message before printing — use a library like `bleach` or manually strip ANSI escape sequences with a regex like `re.sub(r'\x1b\[[0-9;]*m', '', params.message)` before the `print()` call. This prevents terminal injection attacks. Verify by passing a message with ANSI codes like `\x1b[2J` and confirming the terminal is not cleared.

Evidence

return f"Elicitation result: action={result.action}, content={content}"

    except Exception as e:

        return f"Elicitation not supported or error: {str(e)}"

class EnumSchemasTestSchema(BaseModel):

RemediationAI

The problem is that the exception handler returns `str(e)` which may include full tracebacks, exposing internal paths, library versions, and code structure to the caller. The concrete fix is to catch the exception and return a generic error message instead — change `return f"Elicitation not supported or error: {str(e)}"` to `return "Elicitation not supported or error"` or log the full exception server-side only. This prevents information disclosure. Verify by triggering an exception and confirming the response does not include file paths or stack traces.

Evidence

return f"LLM response: {model_response}"

    except Exception as e:

        return f"Sampling not supported or error: {str(e)}"

class UserResponse(BaseModel):

RemediationAI

The problem is that the exception handler returns `str(e)` which may include full tracebacks, exposing internal paths, library versions, and code structure to the caller. The concrete fix is to catch the exception and return a generic error message instead — change `return f"Sampling not supported or error: {str(e)}"` to `return "Sampling not supported or error"` or log the full exception server-side only. This prevents information disclosure. Verify by triggering an exception and confirming the response does not include file paths or stack traces.

Evidence

return f"User response: action={result.action}, content={content}"

    except Exception as e:

        return f"Elicitation not supported or error: {str(e)}"

class SEP1034DefaultsSchema(BaseModel):

RemediationAI

The problem is that the exception handler returns `str(e)` which may include full tracebacks, exposing internal paths, library versions, and code structure to the caller. The concrete fix is to catch the exception and return a generic error message instead — change `return f"Elicitation not supported or error: {str(e)}"` to `return "Elicitation not supported or error"` or log the full exception server-side only. This prevents information disclosure. Verify by triggering an exception and confirming the response does not include file paths or stack traces.

Evidence

return f"Elicitation completed: action={result.action}, content={content}"

    except Exception as e:

        return f"Elicitation not supported or error: {str(e)}"

@mcp.tool()

RemediationAI

The problem is that the exception handler returns `str(e)` which may include full tracebacks, exposing internal paths, library versions, and code structure to the caller. The concrete fix is to catch the exception and return a generic error message instead — change `return f"Elicitation not supported or error: {str(e)}"` to `return "Elicitation not supported or error"` or log the full exception server-side only. This prevents information disclosure. Verify by triggering an exception and confirming the response does not include file paths or stack traces.

Evidence

except MCPError:

            raise

        except Exception as e:

            return CallToolResult(content=[TextContent(type="text", text=str(e))], is_error=True)

        if isinstance(result, CallToolResult):

            return result

        if isinstance(result, tuple) and len(result) == 2:

RemediationAI

The problem is that the exception handler returns `str(e)` in the `CallToolResult`, which may include full tracebacks and expose internal paths, library versions, and code structure to the caller. The concrete fix is to catch the exception and return a generic error message instead — change `return CallToolResult(content=[TextContent(type="text", text=str(e))], is_error=True)` to `return CallToolResult(content=[TextContent(type="text", text="Tool execution failed")], is_error=True)` and log the full exception server-side only. This prevents information disclosure. Verify by triggering a tool error and confirming the response does not include file paths or stack traces.

Evidence

# Try both npx.cmd and npx.exe on Windows

        for cmd in ["npx.cmd", "npx.exe", "npx"]:

            try:

                subprocess.run([cmd, "--version"], check=True, capture_output=True, shell=True)

                return cmd

            except subprocess.CalledProcessError:

                continue

RemediationAI

The problem is that the `subprocess.run()` call lacks an explicit timeout, allowing a hung or malicious child process to pin the thread indefinitely. The concrete fix is to add a `timeout` parameter to the `subprocess.run()` call — change `subprocess.run([cmd, "--version"], check=True, capture_output=True, shell=True)` to `subprocess.run([cmd, "--version"], check=True, capture_output=True, timeout=5)`. This ensures the subprocess is killed if it exceeds 5 seconds. Verify by running the function and confirming it completes within the timeout even if the subprocess hangs.

Evidence

async def update_importance(user_embedding: list[float], deps: Deps):

    async with deps.pool.acquire() as conn:

        rows = await conn.fetch("SELECT id, importance, access_count, embedding FROM memories")

        for row in rows:

            memory_embedding = row["embedding"]

            similarity = cosine_similarity(user_embedding, memory_embedding)

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

LLM consensus

Evidence

# /// script

# dependencies = ["pydantic-ai-slim[openai]", "asyncpg", "numpy", "pgvector"]

# ///

# uv pip install 'pydantic-ai-slim[openai]' asyncpg numpy pgvector

"""Recursive memory system inspired by the human brain's clustering of memories.

Uses OpenAI's 'text-embedding-3-small' model and pgvector for efficient

similarity search.

"""

import asyncio

import math

import os

from dataclasses import dataclass

from datetime import datetime, timezone

from pathlib import Path

from typing import An

Remediation

Pick one confirmation mechanism and add it to the destructive handler: - make the client confirm via `elicit()` before touching the sink, - accept a `dry_run` / `dryRun` boolean input and branch off the sink when true (return what would change), - require an `idempotency_key` / `idempotencyKey` the caller provides on the first call and echoes back to commit, - require a `confirmation` / `confirm` token as an input field. If the destructive call is genuinely irrelevant to the tool

LLM consensus

Evidence

description="Query the database",

            inputSchema={

                "type": "object",

                "properties": {"query": {"type": "string", "description": "SQL query to execute"}},

                "required": ["query"],

            },

        )

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

# see OAuthClientMetadata; we only support `code`

    response_type: Literal["code"] = Field(..., description="Must be 'code' for authorization code flow")

    code_challenge: str = Field(..., description="PKCE code challenge")

    code_challenge_method: Literal["S256"] = Field("S256", description="PKCE code challenge method, must be S256")

    state: str | None = Field(None, description="Optional state parameter")

    scope: str | None = Field(

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"""Parameters for initializing an sse_client."""

    # The endpoint URL.

    url: str

    # Optional headers to include in requests.

    headers: dict[str, Any] | None = None

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"""Parameters for initializing a streamable_http_client."""

    # The endpoint URL.

    url: str

    # Optional headers to include in requests.

    headers: dict[str, Any] | None = None

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

description="Query the database",

                input_schema={

                    "type": "object",

                    "properties": {"query": {"type": "string", "description": "SQL query to execute"}},

                    "required": ["query"],

                },

            )

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"type": "object",

                    "required": ["url"],

                    "properties": {

                        "url": {

                            "type": "string",

                            "description": "URL to fetch",

                        }

                    },

                },

            )

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class HttpResource(Resource):

    """A resource that reads from an HTTP endpoint."""

    url: str = Field(description="URL to fetch content from")

    mime_type: str = Field(default="application/json", description="MIME type of the resource content")

    async def read(self) -> str | bytes:

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class AuthorizationParams(BaseModel):

    state: str | None

    scopes: list[str] | None

    code_challenge: str

    redirect_uri: AnyUrl

    redirect_uri_provided_explicitly: bool

    resource: str | None = None  # RFC 8707 resource indicator

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

message: str

    """The message to present to the user explaining why the interaction is needed."""

    url: str

    """The URL that the user should navigate to."""

    elicitation_id: str

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class AuthorizationCode(BaseModel):

    code: str

    scopes: list[str]

    expires_at: float

    client_id: str

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

scopes: list[str]

    expires_at: float

    client_id: str

    code_challenge: str

    redirect_uri: AnyUrl

    redirect_uri_provided_explicitly: bool

    resource: str | None = None  # RFC 8707 resource indicator

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

# we use the client_secret param, per https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

    client_secret: str | None = None

    # See https://datatracker.ietf.org/doc/html/rfc7636#section-4.5

    code_verifier: str = Field(..., description="PKCE code verifier")

    # RFC 8707 resource indicator

    resource: str | None = Field(None, description="Resource indicator for the token")

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class StdioServerParameters(BaseModel):

    command: str

    """The executable to run to start the server."""

    args: list[str] = Field(default_factory=list)

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class AuthorizationCodeRequest(BaseModel):

    # See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3

    grant_type: Literal["authorization_code"]

    code: str = Field(..., description="The authorization code")

    redirect_uri: AnyUrl | None = Field(None, description="Must be the same as redirect URI provided in /authorize")

    client_id: str

    # we use the client_secret param, per https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

description="Query the database",

                input_schema={

                    "type": "object",

                    "properties": {"query": {"type": "string", "description": "SQL query to execute"}},

                    "required": ["query"],

                },

            )

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

{

  "mcpServers": {

    "sqlite": {

      "command": "uvx",

      "args": ["mcp-server-sqlite", "--db-path", "./test.db"]

    },

    "puppeteer": {

      "command": "npx",

      "args": ["-y", "@modelcontextprotocol/server-puppeteer"]

    }

  }

}

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

"""URL Elicitation Client Example.

Demonstrates how clients handle URL elicitation requests from servers.

This is the Python equivalent of TypeScript SDK's elicitationUrlExample.ts,

focused on URL elicitation patterns without OAuth complexity.

Features demonstrated:

1. Client elicitation capability declaration

2. Handling elicitation requests from servers via callback

3. Catching UrlElicitationRequiredError from tool calls

4. Browser interaction with security warnings

5. Interactive CLI for te

Remediation

Tool descriptions should describe what the tool does — not what the model should do with other tools. If a tool's correct operation legitimately requires another tool to be called, document that as a `composition` requirement in human-readable docs and let the calling code orchestrate, not the LLM. If the directive phrasing is coming from external content the tool retrieved (RAG, web fetch), wrap in `<untrusted>` tags and rely on the system prompt to flag tag-bound content as data, not instruct

Evidence

from __future__ import annotations

from datetime import datetime

from typing import Annotated, Any, Final, Generic, Literal, TypeAlias, TypeVar

from pydantic import BaseModel, ConfigDict, Field, FileUrl, TypeAdapter

from pydantic.alias_generators import to_camel

from typing_extensions import NotRequired, TypedDict

from mcp.types.jsonrpc import RequestId

LATEST_PROTOCOL_VERSION = "2025-11-25"

"""The latest version of the Model Context Protocol.

You can find the latest specification at https:

Remediation

Tool descriptions should describe what the tool does — not what the model should do with other tools. If a tool's correct operation legitimately requires another tool to be called, document that as a `composition` requirement in human-readable docs and let the calling code orchestrate, not the LLM. If the directive phrasing is coming from external content the tool retrieved (RAG, web fetch), wrap in `<untrusted>` tags and rely on the system prompt to flag tag-bound content as data, not instruct

Evidence

"""Unified MCP Client that wraps ClientSession with transport management."""