MCP tool responses join the LLM context as trusted tokens. A leaked API key or customer email becomes part of the prompt the model reads and logs.
