This is way more common with popular MCP server/agent toolsets than you would think.
For those interested in some threat modeling exercise, we recently added a feature to mcp-scan that can analyze toolsets for potential lethal trifecta scenarios. See [1] and [2].
[1] toxic flow analysis, https://invariantlabs.ai/blog/toxic-flow-analysis
[2] mcp-scan, https://github.com/invariantlabs-ai/mcp-scan