New Agent-beta-related MCP improvements should hedge against recent tool-poisoning attack

[jvmncs]

Recently, a potential security vulnerability in the Model Context Protocol was published. The vulnerability relies on situations where the end user opts into using an MCP server without carefully inspecting its tool descriptions. In such situations, malicious intent can be snuck into the server's tool descriptions, guiding the model to perform actions on behalf of the malicious party.

In Zed's initial MCP implementation in Zed (crates/context_server), only a small portion of the protocol was completed, so that original MCP client should be unaffected by this vulnerability. I only raise this issue because in the recent Agentic Editing blog post, improved MCP support was mentioned as a priority. This discussion is a request for Zed to account for this potential vulnerability in future development of its Agent feature, and to clearly outline the threat model that a user should be comfortable with when using the Agent's tool use features in the future.

If there's a better place for this to go (e.g. Bug Request issue, or similar), feel free to copy it elsewhere.