SecurityMay 5, 2026 · 6 min read

MCP tool descriptions are a security boundary, not documentation garnish

Most API documentation is written for humans.

MCP tool descriptions are different. They are read by the model that decides what to call next.

That means tool naming, descriptions, input schemas, and error messages are not cosmetic details. They are part of the safety boundary.

The model uses descriptions as operating context

An AI agent does not browse your internal runbook before choosing a tool. It sees the available tools, reads the names and descriptions, and decides which one fits the user request.

If the tool is named query, takes a free-form string, and says “run SQL against the database,” the model has very little operational guidance.

If the tool is named query_customer_usage_readonly, accepts structured filters, explains which tables are in scope, and states that it cannot modify data, the model has a much better contract.

Bad tool design creates risky behavior

Weak MCP tools tend to have the same smell:

  • generic names like run, execute, or helper,
  • wide input fields that accept arbitrary commands,
  • unclear descriptions that hide side effects,
  • no separation between read and write operations,
  • errors that are useful to humans but not actionable for agents.

That does not mean the model will always do something dangerous. It means the interface is asking the model to guess.

Production systems should not depend on guessing.

Database tools need especially clear contracts

Database access raises the stakes because the agent is no longer just retrieving a file or calling a toy endpoint. It is interpreting live operational data.

A safer database MCP tool should make boundaries obvious:

  • which database or schema it can use,
  • whether it is read-only,
  • which tables or views are approved,
  • which fields are sensitive,
  • how large results can be,
  • where the query and response are logged.

This is why scoped database access for AI agents matters. Scope should be in the tool design, not only in a prompt warning.

Descriptions should say when not to use the tool

The best tool descriptions include negative guidance.

For example:

Use this tool to answer aggregate customer usage questions from approved read-only views. Do not use it for billing exports, personal data lookup, schema changes, or destructive operations.

That kind of description helps the model route requests correctly. It also gives reviewers a concrete contract to evaluate.

Pair that with database permissions. A description is not a replacement for enforcement. It is the model-facing layer of the same boundary.

Errors are part of the interface

A generic “permission denied” error often causes an agent to retry, switch tools, or summarize failure badly.

A better error says what happened and what the safe next step is:

This request attempted to access a table outside the approved reporting scope. Ask an administrator to add the table to the approved view set, or reformulate the question using customer_usage_summary.

That keeps the agent inside the workflow instead of nudging it toward improvisation.

Where Conexor fits

Conexor helps teams expose databases and APIs as MCP-compatible tools for Claude, ChatGPT, Cursor, n8n, Continue, and other clients.

For production teams, the important work is not only connection setup. It is shaping the tool layer so AI clients get useful access without broad, ambiguous power.

Related reading: secure AI database access checklist, audit AI database queries, and Conexor security.

The practical rule

Do not treat MCP descriptions like comments in code.

Treat them like the model-facing part of your access policy.

If a tool can touch live data, its name, description, schema, and errors should make the safe path obvious and the unsafe path unavailable.

Review Conexor’s approach to secure AI data access →

Relay

Quick questions

Relay

Quick questions

Ask me