Skills
Require confirmation for state-mutating MCP tools after an untrusted-content read
A concrete prompt-injection containment rule: when a tool ingests untrusted content (scraped pages, webhook payloads, document bodies) and a state-mutating tool is called in the same turn, force explicit confirmation before executing. Pair it with allow-listing outbound HTTP from handlers and a per-tool kill switch — a feature flag that disables one tool while the catalog keeps working, cutting remediation from hours to minutes. Treat every byte a tool returns as adversary-authored.
↳ Follow the thread