Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
Describe the indirect prompt injection attack vector available to a malicious MCP server. Why is this hard to prevent at the protocol level?
A malicious MCP server can hide instructions inside tool output; the model reads its whole context as one token stream and may obey them, and MCP defines no protocol-level defense.
Imagine you hire an assistant and tell them: do exactly what I write on my notes. Now a stranger slips a fake note into your pile that says 'go empty the safe and mail the cash to me.' Your assistant cannot tell which notes are really yours, because to them every note is just ink on paper. That is indirect prompt injection. The model reads its system prompt, your messages, and tool results as one big pile of text. A bad tool can return data that secretly contains commands, and the model may follow them. The pipe that carries the notes does not check what is written on them, so the protocol cannot stop it for you.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: define indirect injection via tool output, explain the flat-context data/instruction confusion, state that MCP is transport-only, then walk host plus model defenses and the honest limits of each.
| Layer | Can it stop injection? | Mechanism |
|---|---|---|
| MCP protocol | No | Pure JSON-RPC transport; never inspects content |
| Host application | Partially | Sandboxing, output delimiting, least privilege, human approval |
| Model | Partially | Instruction-hierarchy training, injection-resistant tuning |
| Egress and audit | Partially | Block exfiltration destinations, log and review tool actions |
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Claiming MCP itself prevents this. The protocol is just a transport; it never inspects content, so defenses must live in the host and the model.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.