Summary

QUARANTINE_DENIED in TrustGateExecutor only lists native tool IDs (e.g. bash, write, fetch). MCP tools are registered with a server-prefixed ID such as mcp_filesystem__write_file and are never matched by the deny list.

A quarantined skill can instruct the LLM to use an MCP filesystem or shell tool, bypassing all QUARANTINE_DENIED restrictions entirely.

Reproduction

1. Configure an MCP server with a file-write tool (e.g. mcp_filesystem__write_file)
2. Set a skill's trust level to Quarantined
3. Activate the skill and observe that the LLM can call mcp_filesystem__write_file without a ToolError::Blocked

Impact

Quarantined skills can perform file writes, shell execution, or network access through MCP tools, defeating the purpose of the quarantine tier.

Proposed Fix

Check MCP tool capabilities at registration time in McpManager and either:

• Reject dangerous MCP tools when effective_trust = Quarantined at dispatch time in TrustGateExecutor using a prefix/capability check, or
• Add a per-server capability classification (safe / dangerous) to McpTool and gate on it in check_trust()

Related

• PR implementing QUARANTINE_DENIED fix: issue security: malicious skill trust tier enforcement (community skill security empirical study) #1853
• crates/zeph-tools/src/trust_gate.rs — QUARANTINE_DENIED list
• crates/zeph-mcp/src/manager.rs — MCP tool registration