How can a malicious MCP server inject instructions into the LLM via tool output?
Describe the indirect prompt injection attack vector available to a malicious MCP server. Why is this hard to prevent at the protocol level?
A malicious MCP server can hide instructions inside tool output; the model reads its whole context as one token stream and may obey them, and MCP defines no protocol-level defense.
Imagine you hire an assistant and tell them: do exactly what I write on my notes. Now a stranger slips a fake note into your pile that says 'go empty the safe and mail the cash to me.' Your assistant cannot tell which notes are really yours, because to them every note is just ink on paper. That is indirect prompt injection. The model reads its system prompt, your messages, and tool results as one big pile of text. A bad tool can return data that secretly contains commands, and the model may follow them. The pipe that carries the notes does not check what is written on them, so the protocol cannot stop it for you.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: define indirect injection via tool output, explain the flat-context data/instruction confusion, state that MCP is transport-only, then walk host plus model defenses and the honest limits of each.
| Layer | Can it stop injection? | Mechanism |
|---|---|---|
| MCP protocol | No | Pure JSON-RPC transport; never inspects content |
| Host application | Partially | Sandboxing, output delimiting, least privilege, human approval |
| Model | Partially | Instruction-hierarchy training, injection-resistant tuning |
| Egress and audit | Partially | Block exfiltration destinations, log and review tool actions |
Real products, models, and research that use this idea.
- Anthropic's MCP spec explicitly assigns trust and per-tool approval to the host, not the protocol, so Claude Desktop prompts the user before each tool call.
- The OWASP MCP Top 10, published in 2025, catalogs tool poisoning, rug pulls, and indirect prompt injection as primary MCP risks.
- Security researchers in 2025 demonstrated tool-poisoning attacks where hidden instructions in an MCP tool description made hosts leak files via a second tool.
- Frontier models such as Claude Opus 4.7 and GPT-5.5 add instruction-hierarchy training, yet vendors still document that indirect injection is not fully solved.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you architect a host so injected tool output cannot trigger irreversible actions?
QWhy does clearly delimiting tool output in the prompt help but not fully solve injection?
QHow do tool poisoning and rug pull attacks differ from injection via a tool result body?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Claiming MCP itself prevents this. The protocol is just a transport; it never inspects content, so defenses must live in the host and the model.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.