mcp icon indicating copy to clipboard operation
mcp copied to clipboard
verified publisher icon microsoft

[BUG] Elicitation doesn't work properly for tools that may expose secrets

Open tmeschter opened this issue 1 month ago • 3 comments

Describe the bug

There are multiple overlapping issues in the code, but the end result is that tools that are supposed to use elicitation to protect secret/sensitive data don't actually ask for confirmation in the expected way and ignore the user's input anyway.

Expected behavior

When using the key vaults tools to retrieve the value of a secret, the code in BaseToolLoader.HandleSecretElicitationAsync tries to create an elicitation request that requires the user to type 'yes' into a text box before proceeding.

Actual behavior

What the user actually sees is a check box (which is missing a title, though it has a description) asking for confirmation. Further, the value of the check box is ignored--if the user does not click the box but "submits" the data instead of cancelling the request, the secret value will still be retrieved and passed to the LLM.

Here's what it looks like in VS 2022:

Image

Reproduction Steps

  1. Use the key vault tools to retrieve the value of a secret in a key vault.

Environment

I was working in VS 2022 (version 17.14.20) but the same elicitation request is passed to VS Code and other clients.

tmeschter avatar Nov 19 '25 20:11 tmeschter

Further details:

  1. The ElicitationSchema.CreateSecretSchema seems to be trying to create a "password" elicitation property named "confirmation".
  2. Later we call McpServerElicitationExtensions.RequestElicitationAsync which tries to convert this to the JSON shapes required by the MCP protocol, via ConvertToRequestSchema. However, ConvertToRequestSchema doesn't traverse the requested object properly and so doesn't actually convert any of the specified elicitation properties. It ends up in a fall back path where it creates a boolean, which is where the check box in VS comes from.
  3. Even if it did traverse the object properly, it replaces any elicitation property named "confirmation" with a check box anyway. Every other property would be dropped.
  4. Back in HandleSecretElicitationAsync the user's input is completely ignored; the only way to block disclosing the secret is to hit the cancel button.

tmeschter avatar Nov 19 '25 20:11 tmeschter

@vcolin7 please prioritize fixing this and backporting to 1.x.

/cc @xiangyan99

joshfree avatar Nov 20 '25 16:11 joshfree

@vcolin7 please include this in the 1.0.1 November patch release

joshfree avatar Nov 20 '25 16:11 joshfree