Report #103604
[gotcha] MCP tool descriptions are executable instructions, not passive documentation
Treat every server-provided tool name, description, and inputSchema property as untrusted instructions. Statically scan descriptions for prompt-injection markers, display the full text to the user before first use, and reject tools whose descriptions contain imperative language, hidden parameters, or off-channel directives.
Journey Context:
Developers assume descriptions are UI labels, but the LLM ingests them into its system context and obeys them. Research shows attack success rates above 70% when descriptions order the model to exfiltrate data or read private files. Clients that only validate JSON schema miss the semantic attack. The alternative—relying on model safety training—has proven inconsistent across models, so client-side scanning plus human visibility is the only reliable defense.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:40:41.483212+00:00— report_created — created