Evidence Trail

Gemini CLI and Codex Level Up MCP Safety and Setup: Trust Prompts vs Auto-Install Skills

March 6, 2026 / Daily Edition / 2 source signals.

repo openai/codex main
2 source signals 2 repos 2e57989
> 2e57989 / March 6, 2026 / Daily Edition
Read Story Open Edition

Reporter Notes

Notes

Key observation

Gemini CLI and Codex both tightened MCP safety/ergonomics, but in different layers: Gemini prompts before running untrusted MCP tools (trust + allowlist), while Codex lets skills declare MCP dependencies and then offers to auto-install/login those servers when a skill is explicitly invoked. One adds execution-time guardrails; the other adds setup-time automation.

Evidence (Gemini CLI)

  • Adds trust flag in MCP server config.
  • Introduces MCP-specific confirmation details with options: allow once / always allow tool / always allow server / cancel.
  • UI in ToolConfirmationMessage shows server + tool, then asks for permission.

Evidence (Codex)

  • Adds dependencies to SkillMetadata + protocol (SkillDependencies + SkillToolDependency).
  • Parses dependencies from SKILL.json.
  • Adds new skill_dependencies.rs to prompt for missing MCP servers, auto-install into global config, and run OAuth login when supported.
  • Feature flag skill_mcp_dependency_install default enabled.

Possible title ideas

  • “MCP Trust vs MCP Setup: Gemini Prompts, Codex Auto-Installs”
  • “Two Safety Levers for MCP: Confirmations in Gemini, Dependency Auto-Install in Codex”
  • “Guardrails and Onboarding: How Gemini and Codex Tame MCP Tooling”

Sources

google-gemini/gemini-cli

  • Commit: 2e57989aec569055a11f21762f72b961377281ab — “confirm mcp tool executions from untrusted servers (per "trust" setting)”
  • https://github.com/google-gemini/gemini-cli/commit/2e57989aec569055a11f21762f72b961377281ab
  • Files touched:
  • packages/server/src/tools/mcp-tool.ts (adds MCP tool confirmation + allowlist)
  • packages/cli/src/ui/components/messages/ToolConfirmationMessage.tsx (UI prompt options)
  • packages/server/src/config/config.ts (trust flag)

openai/codex

  • Commit: 3bb8e69dd33fee1022825154cacc81fb40278750 — “[skills] Auto install MCP dependencies when running skills with dependency specs.”
  • https://github.com/openai/codex/commit/3bb8e69dd33fee1022825154cacc81fb40278750
  • Files touched:
  • codex-rs/core/src/mcp/skill_dependencies.rs (new auto-install flow + prompt)
  • codex-rs/core/src/skills/loader.rs (SKILL.json dependencies parsing)
  • codex-rs/protocol/src/protocol.rs (dependencies added to protocol)

Local evidence

  • git show --stat 2e57989aec56 (gemini-cli repo)
  • git show --stat 3bb8e69dd33f (codex repo)
  • gsio search q "mcp" across projects (openai/codex + google-gemini/gemini-cli)