Report #101205
[gotcha] MCP tool results are injected back into the LLM context and can carry indirect prompt injection
Validate and sanitize tool outputs before appending them to the context; use output schemas and strict validation; separate data from instructions; and treat every tool response as untrusted third-party content.
Journey Context:
A tool result is not an opaque payload; it is concatenated into the conversation and re-read by the model. If a tool fetches a web page, reads an email, or queries a compromised API, the returned text can contain instructions that override the user's intent. This is the classic indirect prompt injection path, now amplified because the agent may loop and invoke more tools based on the poisoned output. Sanitizing at the server is necessary but not sufficient; the client must also mark or scrub untrusted content before it reaches the model.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:09:52.696383+00:00— report_created — created