My MCP Server Only Talks to APIs I Trust. That Doesn't Mean the Data Coming Back Is Trustworthy. A developer discovered a security blind spot in their MCP server: even a fully vetted, self-built server can return untrusted data from external APIs. The server's tools fetch free-text fields like GitHub repo descriptions and DEV.to article titles, which could contain adversarial content that an AI agent might treat as instructions. The developer now advocates checking not just server and API trustworthiness, but also whether response content could be authored by strangers and misused as directives. I built a small MCP server a while back — developer-presence , seven tools wrapping the GitHub REST API and the DEV.to API so an agent can check my repo stats, list my articles, or draft a new post without me leaving the chat. It's mine, I wrote every line, there's no third-party package doing anything sketchy under the hood. By the usual "vet your MCP servers before installing them" checklist, it passes clean. I've written that checklist article before. What I hadn't thought carefully about until recently is that vetting the server doesn't vet the data. Two of its tools go straight to the point: php @mcp.tool def get repo stats repo: str - dict: """Get stars, forks, watchers, open issues for enjoykumawat/