SEP-1487: Addition of `trustedHint` Tool Annotation

[kentcdodds]

SEP Number	(#1487)
Title	Addition of trustedHint Tool Annotation
Author	Kent C. Dodds
Status	Proposal
Created	2025-09-17
Specification	MCP 2025-06-18

Abstract

Proposes the addition of a new trusted tool annotation to the Model Context Protocol (MCP) specification. This hint explicitly marks whether a tool can be considered trusted. By default, tools should be considered trusted: false unless explicitly marked otherwise. The existing openWorld annotation is not sufficient to communicate trust status for all tools.

Summary

This SEP proposes a new trusted annotation for tools in the MCP specification. The default for all tools should be trusted: false, unless explicitly marked as trusted. This provides a clear, consistent way to communicate the trust status of a tool, which is not adequately covered by the existing openWorld annotation.

Motivation

The MCP specification currently lacks a clear way to indicate whether a tool is trusted. The openWorld annotation only covers tools that interact with external or untrusted data sources, but does not provide a general mechanism for marking trust status. This can lead to confusion and potential security risks, as users and implementers may assume tools are trusted by default. Explicitly marking tools as trusted or untrusted will improve clarity and security.

Proposal

• Add a new trustedHint annotation for tools in the MCP specification's ToolAnnotations interface:

  interface ToolAnnotations {
  	destructiveHint?: boolean
  	idempotentHint?: boolean
  	openWorldHint?: boolean
  	readOnlyHint?: boolean
  	title?: string
  	trustedHint?: boolean // NEW: Indicates whether the tool is considered safe and reliable
  }

• All tools should default to trustedHint: false unless explicitly marked as trusted.

• The trustedHint annotation should be used to indicate that a tool is safe, reliable, and does not expose users to untrusted or potentially harmful data or operations.

• Existing hints (such as openWorldHint, destructiveHint, etc.) describe tool behavior, but do not communicate whether a tool is considered safe or trustworthy. For example, openWorldHint: false does not mean the tool is trusted.

Rationale

Explicitly marking tools as trusted or untrusted improves security and clarity for users and implementers. It prevents assumptions about tool safety and ensures that only tools which have been reviewed and verified are marked as trusted. This is especially important for tools that interact with sensitive data or perform critical operations.

The current ToolAnnotations hints are not guaranteed to provide a faithful description of tool behavior, and clients should never make tool use decisions based on ToolAnnotations received from untrusted servers. The trusted hint is intended to provide a clear, explicit signal for trust, but it should still be treated as a hint and not a guarantee.

Backwards Compatibility

This SEP does not introduce breaking changes. The trusted annotation is additive and does not affect existing tools unless they are updated to use the new hint.

Implementation

Update the MCP specification documentation to:

• Add the trusted annotation for tools.
• Specify that tools should default to trusted: false.
• Provide guidance and examples for when to mark a tool as trusted.

Discussion

• The community has identified the need for a clear, general-purpose trust annotation for tools.
• This SEP addresses gaps not covered by the existing openWorld annotation.

[cliffhall]

For example, openWorldHint: false does not mean the tool is trusted.

It seems like openWorldHint could be clarified to mean trusted/untrusted?

The openWorld annotation only covers tools that interact with external or untrusted data sources, but does not provide a general mechanism for marking trust status.

The object of the second clause of that sentence would seem implicit from the first clause. I.e., "openWorld covers tools that interact with external or untrusted data sources" and therefore is a "general mechanism for marking trust status."

If openWorldHint can't be clarified to mean trusted/untrusted then it will need to be clarified as to how it is not that.

[kentcdodds]

It's possible that openWorldHint needs to be clarified. But here's a specific example:

GitHub MCP server get_issue tool. Is that open world? Not according to my understanding. Is the content returned trusted? Maybe if the repo is private, but not if it's public.

I don't think openWorldHint handles this nuance.

[mooreds]

GitHub MCP server get_issue tool. Is that open world? Not according to my understanding. Is the content returned trusted? Maybe if the repo is private, but not if it's public.

How does this hint resolve the example issue? Will the MCP server have two different get_issue type tools, one trusted and one not? Will get_issue tool return different annotation value based on the repository it is being run against?

I'm new to the MCP spec, but are annotations run time configuration? It doesn't appear so.

[joshfree]

GitHub MCP server get_issue tool. Is that open world? Not according to my understanding. Is the content returned trusted? Maybe if the repo is private, but not if it's public.
I don't think openWorldHint handles this nuance.

In this example the data is tainted since it's from an unknown end user. Public/private repo status is not relevant here.

I believe that openWorld should simply be clarified to mean tainted (untrusted) data that needs to be sanitized.

I would be cautious introducing more hints when existing hints are (arguably) sufficient.

That's my two cents.

[kentcdodds]

How does this hint resolve the example issue?

The client could perhaps decide to be more careful with the content. Maybe doing a scan of the tool's return value for malicious instructions. Or requiring an extra confirmation from the user.

I disagree slightly with @joshfree, but for practical purposes I agree that openWorld could be expanded to include this (though the naming in that case would be a bit confusing). In general though reducing hints is generally a good idea.

[mooreds]

The client could perhaps decide to be more careful with the content. Maybe doing a scan of the tool's return value for malicious instructions. Or requiring an extra confirmation from the user.

I'm sorry, I was unclear. I meant, how in practice does the MCP server return the hint at run time? It looks like response annotations are limited and don't include things like openWorldHint.

Which means this is an install time hint and applies to the entire MCP server, as far as I can tell. So the get_issue example doesn't quite work. I think there's some value in this annotation, just trying to get an example that I understand.

Here are some other examples that might help me understand this better (if they are correct):

• I have an internal docs MCP server that my organization controls and I trust. I access it over http. trustedHint is true.
• I have an external docs MCP server that I found on the internet for framework ABC. It says trustedHint is true, but I don't trust it. (So not sure what would happen here.)
• I have an external docs MCP server that I found on the internet for framework DEF. It says trustedHint is false and so I limit its use (I as a human have to check every tool call).

[connor4312]

Existing hints (such as openWorldHint, destructiveHint, etc.) describe tool behavior, but do not communicate whether a tool is considered safe or trustworthy

While I think existing tool annotation hints are not entirely sufficient, I don't think a trustedHint is enough either. "Trust" is a very subjective term whose propriety will vary widely depending on the requirements of an end user. Imo tools should give sufficient information about their data and methodologies to allow clients to build trust behaviors as needed by user's or organization's configuration.

GitHub MCP server get_issue tool. Is that open world? Not according to my understanding. Is the content returned trusted? Maybe if the repo is private, but not if it's public.

This hints at where I think MCP needs to go to start building robust trust for 'open world' tools: including provenance information with the tool response, not the request. For example, GH MCP could return different indicators for levels of trust depending on whether the issue in question was authored by the user, a repo collaborator, org user, etc. I don't have a good idea of how the rings of 'trust' can be represented in a generic way for clients to operate with, but in that world it should still be left up to the client to evaluate that output 'trust' value against the user's preferences.

[LarryOsterman]

My $0.02: The core concern here is prompt injection threats. We need a mechanism to say "this content is potentially user generated content, make absolutely sure that the LLM can never consider it as a part of the prompt".

OpenWorld almost works, but it just says "the source is untrusted", and that's not quite the semantics that we want. Since the threat here is prompt injection of untrusted (or tainted) content, having something that says something somewhat more specific than "it came from the internet" is critical.

FWIW, when I originally proposed this construct in the Azure SDK MCP Server's threat model, my initial description was "UserGeneratedContent", the point being that the content (or some of the content) came from a user, and thus should be assumed to be a part of an attack on the LLM - because on the internet, you need to trust all user input as hostile (see also XKCD 327).

And this was always in the context of a response hint - as others have mentioned, a tool hint isn't sufficient (consider a tool which reads tables from a database - one table is strictly metadata about the rows in the "posts" table, the other is the "posts" table which contains user generated content. A "read a table" tool could return data from either table. And the first table should be considered "safe" but the second table is "unsafe".