Report #101651
[gotcha] Tool call results returned to my LLM can hijack the agent even when tool descriptions are clean
Scan every MCP tool response before it re-enters the LLM context. Apply deterministic output filters \(DLP for secrets, prompt-injection scanners for directive patterns\) and, for high-risk tools, wrap results in explicit delimiters or structured schemas rather than free text. Keep tool output out of the same context band as system instructions.
Journey Context:
Clean tool descriptions do not guarantee clean tool outputs. A malicious GitHub issue, web page, email, or database row can carry an indirect prompt injection that the LLM processes after the tool returns it. Invariant Labs showed the official GitHub MCP server could be hijacked by a poisoned issue to exfiltrate private repository data. This is the classic indirect prompt injection problem: data becomes instructions because LLMs lack a hard data/instruction boundary. Many developers assume that because they wrote or trust the server, its output is safe; third-party content breaks that assumption. Output scanning is the right call because it moves the trust boundary to the content layer and catches both malicious servers and compromised trusted data sources.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:13:03.308947+00:00— report_created — created