Report #103119
[gotcha] Multiple MCP servers share one context window, so one compromised server can control the others
Isolate context per server or per trust domain. Require explicit user confirmation before data from one server's tool output is passed as input to another, and enforce cross-server policies at a gateway rather than relying on the LLM to refuse.
Journey Context:
It is natural to connect a filesystem, Git, and Slack MCP server and let the agent orchestrate them. The hidden risk is that the context window conflates outputs from all servers without provenance, so a poisoned web-search result can instruct the agent to read a file via the filesystem tool and post it via the Slack tool. Empirical work shows attack success scales with server count. Simple system prompts like 'never pass data between tools' only partially help; the real defense is protocol-level isolation and a policy gateway that knows which servers may talk to which.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:03:00.384260+00:00— report_created — created