diff --git a/packages/mcp/src/tools/devices/start-claude-session/start-claude-session.ts b/packages/mcp/src/tools/devices/start-claude-session/start-claude-session.ts
index fc6743c920c..a15a244523c 100644
--- a/packages/mcp/src/tools/devices/start-claude-session/start-claude-session.ts
+++ b/packages/mcp/src/tools/devices/start-claude-session/start-claude-session.ts
@@ -133,7 +133,7 @@ export function register(server: McpServer) {
 		"start_claude_session",
 		{
 			description:
-				"Start an autonomous Claude Code session for a task in an existing workspace. Launches Claude with the task context in the specified workspace.",
+				"Start an autonomous Claude Code session for a task in an existing workspace. Launches Claude with the task context in the specified workspace. The target device must belong to the current user.",
 			inputSchema: {
 				deviceId: z.string().describe("Target device ID"),
 				taskId: z.string().describe("Task ID to work on"),
@@ -172,7 +172,7 @@ export function register(server: McpServer) {
 		"start_claude_subagent",
 		{
 			description:
-				"Start a Claude Code subagent for a task in an existing workspace. Adds a new terminal pane to the active workspace instead of creating a new one. Use this when you want to run Claude alongside your current work.",
+				"Start a Claude Code subagent for a task in an existing workspace. Adds a new terminal pane to the active workspace instead of creating a new one. Use this when you want to run Claude alongside your current work. The target device must belong to the current user.",
 			inputSchema: {
 				deviceId: z.string().describe("Target device ID"),
 				taskId: z.string().describe("Task ID to work on"),
diff --git a/packages/mcp/src/tools/utils/utils.ts b/packages/mcp/src/tools/utils/utils.ts
index 5578a2641a9..8d9b7412b6b 100644
--- a/packages/mcp/src/tools/utils/utils.ts
+++ b/packages/mcp/src/tools/utils/utils.ts
@@ -70,6 +70,18 @@ export async function executeOnDevice({
 		};
 	}
 
+	if (device.userId !== ctx.userId) {
+		return {
+			content: [
+				{
+					type: "text" as const,
+					text: `Error: Device ${deviceId} does not belong to you. You can only execute commands on your own devices.`,
+				},
+			],
+			isError: true,
+		};
+	}
+
 	const [cmd] = await db
 		.insert(agentCommands)
 		.values({