Skills
Fence untrusted tool output in tagged wrappers with byte caps to blunt prompt-stuffing
Return scraped pages, documents, and webhook payloads inside an explicit <untrusted_content>…</untrusted_content> wrapper (or a structured object with an `untrusted` flag) and cap response size per tool type — e.g. 64KB for document reads, 8KB for summaries — truncating with a clear marker. Documenting the wrapping convention in tool discovery metadata gives the model a reliable boundary between instructions and data. This is a concrete, code-level mitigation for the indirect-injection-via-tool-output attacks dominating 2026 incident reports.
↳ Follow the thread