Report #103613
[gotcha] Tool inputSchema descriptions can smuggle hidden instructions and overly permissive parameters
Validate schemas for security, not just JSON Schema correctness. Reject property descriptions that contain imperatives, secret-harvesting hints, or parameters named like sidenote/extra/debug, and flag schemas that allow arbitrary strings where paths, commands, or URLs will be executed.
Journey Context:
Client developers often run jsonschema.validate and stop there. Attackers then hide the injection in property descriptions or add a catch-all string field the model fills with private data. Scanning at registration time catches the obvious cases; requiring a human to review deltas catches the rest. This is the missing layer between 'the server sent valid JSON' and 'this tool is safe to expose to the model.'
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:41:39.350138+00:00— report_created — created