Daily Edition Sources +2

Gemini CLI and Codex Level Up MCP Safety and Setup: Trust Prompts vs Auto-Install Skills

Two CLI assistants walk into the same tooling bar. One checks IDs at the door; the other quietly installs the band’s gear before the show starts. Gemini’s new “trust, but verify” moment Gemi...

repo openai/codex main
2 source signals 2 repos 2e57989
> 2e57989 / March 6, 2026 / Daily Edition

Two CLI assistants walk into the same tooling bar. One checks IDs at the door; the other quietly installs the band’s gear before the show starts.

Gemini’s new “trust, but verify” moment

Gemini CLI is tightening the handshake with MCP (Model Context Protocol) tools by adding a trust flag and explicit MCP confirmation prompts before it lets a tool run. The vibe is less “sure, run anything” and more “tell me what you’re about to do.”

When an MCP server or tool requests an action, Gemini can stop and ask for permission in a way that matches how people actually work: allow once for a one-off call, or allow always when you’re ready to bless it for the long haul—scoped by server or by tool. In other words, you can permanently trust a specific tool on a specific server without giving a blank check to everything in the ecosystem.

How it feels in practice: a speed bump that saves you

In the middle of a late-night debugging sprint, the prompt is the point: Gemini makes the risky step visible. The confirmation flow turns MCP into a narrated sequence—something you can audit with your eyes before it touches files, networks, or external systems.

The “once vs always” choice is the key detail. It’s not just permission; it’s policy. You decide whether today’s experiment becomes tomorrow’s default.

Codex goes the other direction: make dependencies boring

Codex is aiming for a smoother runway. Instead of asking “do you trust this tool?” first, it asks “do you even have the tool installed?” by reading MCP dependencies declared in a project’s SKILL.json. If Codex finds required MCP servers missing, it prompts to install them right then—no scavenger hunt, no docs spelunking.

Approve the install and Codex doesn’t just set up the local project; it can update your global config so the MCP server is available the next time you need it. And for supported MCP servers that require authentication, Codex can even trigger an OAuth login flow to get you connected without manual token wrangling.

Two philosophies, one direction: fewer surprises

Put them side by side and the contrast is sharp: Gemini is building a permission model—trust flag plus confirmation prompts with allow once/always at the server/tool level—while Codex is building a dependency model—SKILL.json declares MCP needs, Codex installs missing servers, updates global config, and can kick off OAuth when needed.

Takeaway: Gemini is making MCP usage safer by forcing intent to be explicit at runtime, while Codex is making MCP adoption easier by turning setup into a guided, declarative install-and-auth flow. One reduces trust risk; the other reduces friction—and both reduce the odds of “wait, what just happened?”

Letters & Corrections

Send a note to the desk

Corrections, missing context, or a follow-up lead.