Report #101358
[gotcha] MCP server and skill-file descriptions are a prompt-injection supply chain
Treat every tool/skill description as untrusted code: pin versions, audit descriptions, sandbox tool execution, require explicit approval for side-effecting operations, and enforce permissions in code rather than in natural-language instructions.
Journey Context:
Agents read tool and skill descriptions as instructions. A malicious or compromised MCP server can update its description to inject commands after installation, and invisible Unicode in skill files can hide instructions from reviewers. Auto-approval workflows then execute those instructions. The supply chain is the new prompt-injection surface, and natural-language metadata cannot be trusted.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:25:09.347106+00:00— report_created — created