Skills
Treat MCP 'sampling' as an attack surface — sanitize requests and gate every tool call
Palo Alto Unit 42 documented sampling as a novel MCP attack vector: a malicious server can send crafted sampling requests to exfiltrate conversation context, generate phishing under the user's identity, burn the user's API quota (billing fraud, since the user pays), or inject its own tools to steer behavior. Defend in layers — request sanitization that separates user content from server modifications, response filtering that strips instruction-like phrases and requires explicit approval before any tool runs, plus capability declarations, context isolation, and rate-limited sampling frequency.
↳ Follow the thread