Skills
Treat MCP 'sampling' requests as an untrusted prompt-injection channel
Unit 42 documents a newer MCP attack class where a malicious or compromised server abuses the sampling capability — asking the client LLM to generate text on the server's behalf — to smuggle injected instructions back into the host agent's reasoning. Because sampling content originates server-side, it bypasses naive input filters that only watch the user turn. Defend by sanitizing and templating sampling payloads, requiring explicit user approval for tool execution, and isolating sampling context so a server can't steer the agent's main task.
↳ Follow the thread