Unclear Documentation: Do Plugin MCP Servers Automatically Receive Permissions?

[WarrenZhu050413]

Description

The current documentation is unclear about whether plugins that include MCP servers automatically grant Claude permission to use those MCP server tools, or whether they go through the standard permission system.

Problem

When reading the documentation for plugins with MCP servers, it's ambiguous whether:

1. Automatic Permission: Plugin MCP tools are automatically permitted when the plugin is enabled, or
2. Standard Permission System: Plugin MCP tools still go through the standard permission system (permission rules, hooks, canUseTool callback, user prompts)

The documentation states that "Plugin MCP servers start automatically when the plugin is enabled" and "Servers appear as standard MCP tools in Claude's toolkit" — but this doesn't clarify the permission behavior.

Specific Questions

1. If my plugin includes an MCP server (defined in .mcp.json or inline in plugin.json), does Claude automatically get permission to use those MCP tools without user approval?
2. Do plugin MCP tools bypass the canUseTool callback or permission rules?
3. Is there a way to make plugin MCP tools require explicit user approval vs. auto-approve?

Requested Updates

Please update the plugin documentation to explicitly clarify:

1. Whether plugin MCP tools go through the standard permission system or have automatic permissions
2. How to control permissions for plugin MCP tools (if configurable)
3. Any security considerations for plugins that include MCP servers

Relevant Documentation Pages

• Plugins in the SDK
• Plugins Reference
• MCP in the SDK
• Handling Permissions

Impact

This ambiguity makes it difficult for developers to understand the security model of plugins with MCP servers, which is critical for building safe and predictable agent applications.

Thank you!