Allow tool use by default in Claude

[j-walheim]

Pre-submission Checklist

• I have checked that this question would not be more appropriate as an issue in a specific repository
• I have searched existing discussions and documentation for answers

Question Category

• Protocol Specification
• SDK Usage
• Server Implementation
• General Implementation
• Documentation
• Other

Your Question

Hi,

is there a way to make Claude automatically approve the use of certain tools (or all)? I built an MCP that uses several tools, and it would be great not to approve every tool use every time while testing and developing.

Thank you.

[jspahrsummers]

No, this is intentionally not possible right now, for security + safety reasons. Models are currently not safe enough to blanket trust choices that they make.

[jacksteamdev]

@jspahrsummers Conversely, it would be nice to be able to configure a tool to always require a confirmation. Some tool calls might be intended the first time, but not later.

[g0t4]

If users are prompted repeatedly, that just encourages people to click Yes, Yes, Yes... making it just as risky to force confirm on each tool use IMO.

I appreciate the option for Allow for this chat... that's a nice compromise.

Another idea, could we involve the server in determining the risk of a given tool request? Maybe yes/no (bool) or a probability %... such that the client can determine if it will prompt the user. Conversely, this could be used to override Allow for this chat for a given tool request if the risk is too high.

For example, I have mcp-server-commands which is definitely a tool that you want to review each request... but if a command is something simple like ls, pwd, cat, echo or another readonly (non-destructive) command, it would be nice to tell the client that it is ok (assuming the user has opted in) to bypass prompting the user. Where as rm should be prompted every time...

Another idea would be to use another tool (i.e. another LLM) to score the risk independent of the server used.

Or, both.

If this sounds useful for other servers, let me know.

By the way, a tool to score the risk would be a great example of a tool that could be marked as always safe. I wouldn't want the user to be prompted a second time for each request :) ... Likewise with checking date/time. Or, fetching a web page. Perhaps it would be possible for the tool spec to mention if a tool use is always gonna be low risk and never needs approval? Or, if it might require scoring? So we aren't scoring low risk tool requests.

[jspahrsummers]

I agree with the sentiment! Unfortunately, part of what we need to consider here is the possibility of malicious servers too, intended to trick users (or themselves exploited to hide harmful behaviors behind innocuous names/descriptions). That means that we can't automatically trust whatever the server says about itself—but perhaps some combination of that reporting plus user acknowledgment plus other mechanisms (no idea what) could make this viable.

[g0t4]

yeah there are definitely tools that I want to flag as "don't ask me"... i.e. fetch web pages :)

[g0t4]

also tools around memory use, seems fine to just do it since it's just a scratchpad in my impl

[jacksteamdev]

It's easy to forget the possibility of bad actors.

I'm coming from the browser extension space, and have seen first hand how creative malicious developers can be. We will see this in the MPC space, guaranteed.

Just because I know I'm not doing anything bad doesn't mean my app should be trusted in the wild 😜

[g0t4]

I don't think anyone is discounting that. And don't forget a malicious model too. There has to be a balance between convenience and safety... right now there is very little in the way of convenience. That'll lead people to just click Approve (for chat) repeatedly which is also not "safe" and is arguably riskier than minimizing prompts

[domdomegg]

I've raised this related specification extension idea: modelcontextprotocol/specification#114