A user may be chatting with an assistant with a large variety of MCP-connected tools, including: read_daily_journal(…), book_flights(…), delete_files(…). While their choice of integrations saves them a non-trivial amount of time, this amount of agent-autonomy is pretty dangerous. While some tools are harmless, some costly, and others critically irreversible — the agent or application itself might not weigh this.