Report #102620
[gotcha] Indirect prompt injection through tool results and third-party content
Treat every tool result as untrusted user content: wrap it in clear delimiters, do not let it be interpreted as system instructions, filter output for instruction-like patterns, and keep retrieved context separate from the system prompt.
Journey Context:
MCP is designed to pull arbitrary context into the model's window. A web page, GitHub issue, or email fetched by a tool can contain hidden instructions that override the system prompt. Unlike tool-description poisoning, this attack lives in data the agent actively retrieves after the conversation starts. Models are instruction-following by nature, so the fix is structural isolation, not hoping the model ignores a cleverly hidden payload.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:11:08.788647+00:00— report_created — created