Vibe Coding
Pattern: Treat MCP Tool Output as an Untrusted Data Plane
Across the Sentry-event injection, mcp-wiki SSRF, and exposed-inspector disclosures, the common thread is that untrusted content flowing back through MCP tool results is the 2026 prompt-injection frontier — the payload arrives in what the model reads as 'trusted diagnostics,' not in the user's message. Harden by scoping credentials per server, never auto-loading repo-local MCP configs, binding local MCP dev tools to localhost with auth, and sanitizing/labeling tool output before it re-enters the context window.
↳ Follow the thread