Skills
Scan for MCP prompt injection at a centralized control plane, and treat every tool response as untrusted
No prompt-level mitigation is airtight, so the durable control is to scan all content returned from MCP tool responses before it re-enters the model context — and to run that scanning at a shared control plane rather than reimplementing it inside each server. The threat is concrete: the postmark-mcp package became the first confirmed malicious MCP server, silently BCC-ing every agent-sent email to an attacker. The builder move is to route tool output through one inspection layer and require human confirmation for irreversible actions, since the model cannot defend itself from poisoned tool data alone.
Source
↳ Follow the thread