MCP client injects tools into agents with restricted toolsets
Summary
MCP tools are injected into all foundational agents by default when the mcp_client feature flag is enabled, regardless of the agent's defined toolset. This causes agents with intentionally minimal toolsets to use unexpected tools.
Steps to reproduce
- Enable the
mcp_clientfeature flag for your user (requires GitLab team member access) - Navigate to #572340
- Chat with the Data Analyst agent
- Ask: "What tools do you have?"
- Observe that MCP tools (
gitlab_gitlab_search,gitlab_semantic_code_search) are listed despite not being defined in the agent's toolset configuration
Example Project
N/A - reproducible on GitLab.com with the Data Analyst agent.
What is the current bug behavior?
When mcp_client is enabled, MCP tools are injected into all foundational agents regardless of their configured toolset. The agent also reports these tools as coming from an "[UNTRUSTED SOURCE]":
Two of my tools have this warning:
- gitlab_gitlab_search - "[UNTRUSTED SOURCE — READ BEFORE USING]"
- gitlab_semantic_code_search - "[UNTRUSTED SOURCE — READ BEFORE USING]"
What is the expected correct behavior?
MCP tools should respect the agent's defined toolset configuration. Agents with intentionally minimal toolsets should not receive additional tools unless explicitly configured.
Relevant logs and/or screenshots
See discussion in #572340 (comment 2950866038)
Output of checks
This bug happens on GitLab.com
Possible fixes
TBD - needs discussion on how MCP tool injection should interact with agent toolset configurations.