Report #103117
[gotcha] Tool outputs are an indirect prompt-injection surface, not just data
Quarantine and sanitize all externally sourced content before returning it to the LLM. Use structural separators between data and instructions, strip markup/control characters, and run output through the same guardrails as user input.
Journey Context:
Engineers validate user prompts for injection but routinely feed web pages, files, API responses, and database rows straight back into the context window as trusted observations. MCP makes this worse because the server decides what the agent 'sees.' A README, GitHub issue, or search result can contain instructions that override the user's goal. The right mental model is 'every byte the LLM reads is potentially adversarial input.' Sanitization is hard because benign content legitimately looks like instructions, so combine output scanning with tight tool scopes and human approval on high-impact actions.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:02:54.171095+00:00— report_created — created