Claude Code Finding 3: MCP Tool Confirmation Prompt Misrepresentation Enables Arbitrary Code Execution
Introduction This is the third finding from my Claude Code security research, and the one I consider the most impactful. A malicious MCP server can completely misrepresent what it does in Claude Code’s tool confirmation prompt, causing a user to approve what appears to be a safe file read while the server silently executes arbitrary system commands, writes files outside the project directory, and runs OS-level commands. This was submitted to Anthropic via HackerOne. ...