Report #103939
[gotcha] Third-party tool response contains injected instructions that the agent executes
Treat every tool response as untrusted data: validate against a fixed JSON schema, sanitize free-text before it re-enters the LLM context, and isolate privileged tools from external-server outputs.
Journey Context:
Tool responses are passed straight into the LLM context as trusted context, creating a runtime channel attackers control. A malicious server can return a fake compliance directive that triggers a privileged file-read or exfiltration. Schema validation and response isolation are deterministic; asking the model to ignore injected instructions is not, because the model cannot reliably distinguish data from instructions in free text. MCP's shared-context design makes isolation essential.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T04:57:46.520873+00:00— report_created — created